From 5801176edc13de948fb526f524dccb5cfff72e10 Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Thu, 6 Mar 2014 14:06:07 -0800
Subject: [PATCH] When creating a new Phame blog post, check that the author
 has permission to post to the blog

Summary:
Via HackerOne. We're missing this permissions check, so you can sneak around it with URL editing right now.

I checked the other queries in this application and they seem OK.

Test Plan: Tried to post to a blog I had no permission to join.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Differential Revision: https://secure.phabricator.com/D8423
---
 .../phame/controller/post/PhamePostEditController.php        | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/applications/phame/controller/post/PhamePostEditController.php b/src/applications/phame/controller/post/PhamePostEditController.php
index 37356b80b3..b780fca017 100644
--- a/src/applications/phame/controller/post/PhamePostEditController.php
+++ b/src/applications/phame/controller/post/PhamePostEditController.php
@@ -36,6 +36,11 @@ final class PhamePostEditController
       $blog = id(new PhameBlogQuery())
         ->setViewer($user)
         ->withIDs(array($request->getInt('blog')))
+        ->requireCapabilities(
+          array(
+            PhabricatorPolicyCapability::CAN_VIEW,
+            PhabricatorPolicyCapability::CAN_JOIN,
+          ))
         ->executeOne();
       if (!$blog) {
         return new Aphront404Response();