Only allow users to read their own messages.

author Tom Hughes <tom@compton.nu>

Wed, 22 Aug 2007 07:38:50 +0000 (07:38 +0000)

committer Tom Hughes <tom@compton.nu>

Wed, 22 Aug 2007 07:38:50 +0000 (07:38 +0000)
author Tom Hughes <tom@compton.nu>
Wed, 22 Aug 2007 07:38:50 +0000 (07:38 +0000)
committer Tom Hughes <tom@compton.nu>
Wed, 22 Aug 2007 07:38:50 +0000 (07:38 +0000)
diff --git a/app/controllers/message_controller.rb b/app/controllers/message_controller.rb

index 9b678e274aa06b526471811cd56c7a5d39847c2e..d8689c28a0fe7b2925929dcd5abb2bff9c32659e 100644 (file)
--- a/app/controllers/message_controller.rb
+++ b/app/controllers/message_controller.rb
@@ -29,12 +29,11 @@ class MessageController < ApplicationController
  
    def read
      @title = 'read message'
-    if params[:message_id]
-      id = params[:message_id]
-      @message = Message.find_by_id(id)
-      @message.message_read = 1
-      @message.save
-    end
+    @message = Message.find(params[:message_id], :conditions => ["to_user_id = ?", @user.id])
+    @message.message_read = 1
+    @message.save
+  rescue ActiveRecord::RecordNotFound
+    render :none, :status => :not_found
    end
  
    def inbox
author	Tom Hughes <tom@compton.nu>
	Wed, 22 Aug 2007 07:38:50 +0000 (07:38 +0000)
committer	Tom Hughes <tom@compton.nu>
	Wed, 22 Aug 2007 07:38:50 +0000 (07:38 +0000)