From: Tom Hughes <tom@compton.nu>
Date: Wed, 22 Aug 2007 07:38:50 +0000 (+0000)
Subject: Only allow users to read their own messages.
X-Git-Tag: live~8166
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/8b62df8b9c847a0e29e570b3fff302b5f84cf9df

Only allow users to read their own messages.
---

diff --git a/app/controllers/message_controller.rb b/app/controllers/message_controller.rb
index 9b678e274..d8689c28a 100644
--- a/app/controllers/message_controller.rb
+++ b/app/controllers/message_controller.rb
@@ -29,12 +29,11 @@ class MessageController < ApplicationController
 
   def read
     @title = 'read message'
-    if params[:message_id]
-      id = params[:message_id]
-      @message = Message.find_by_id(id)
-      @message.message_read = 1
-      @message.save
-    end
+    @message = Message.find(params[:message_id], :conditions => ["to_user_id = ?", @user.id])
+    @message.message_read = 1
+    @message.save
+  rescue ActiveRecord::RecordNotFound
+    render :none, :status => :not_found
   end
 
   def inbox