Only allow users to read their own messages.
authorTom Hughes <tom@compton.nu>
Wed, 22 Aug 2007 07:38:50 +0000 (07:38 +0000)
committerTom Hughes <tom@compton.nu>
Wed, 22 Aug 2007 07:38:50 +0000 (07:38 +0000)
app/controllers/message_controller.rb

index 9b678e274aa06b526471811cd56c7a5d39847c2e..d8689c28a0fe7b2925929dcd5abb2bff9c32659e 100644 (file)
@@ -29,12 +29,11 @@ class MessageController < ApplicationController
 
   def read
     @title = 'read message'
-    if params[:message_id]
-      id = params[:message_id]
-      @message = Message.find_by_id(id)
-      @message.message_read = 1
-      @message.save
-    end
+    @message = Message.find(params[:message_id], :conditions => ["to_user_id = ?", @user.id])
+    @message.message_read = 1
+    @message.save
+  rescue ActiveRecord::RecordNotFound
+    render :none, :status => :not_found
   end
 
   def inbox