From 065e6a0cd1e53eb4382ec39fca6cdb74a8250423 Mon Sep 17 00:00:00 2001
From: JT Smith <jt@plainblack.com>
Date: Mon, 17 Nov 2003 01:19:57 +0000
Subject: [PATCH] fixed a security problem allowing post edits

---
 docs/changelog/5.x.x.txt | 2 ++
 lib/WebGUI/Forum/UI.pm   | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/changelog/5.x.x.txt b/docs/changelog/5.x.x.txt
index 5bf47e90d..3881e9af9 100644
--- a/docs/changelog/5.x.x.txt
+++ b/docs/changelog/5.x.x.txt
@@ -31,6 +31,8 @@
  - Updated the German translation. (Thanks to Andreas Graf.)
  - Fixed a security problem where users could access a forum they didn't have
    privileges to view if they created a specific URL.
+ - Fixed a security problem where users could edit a forum post they didn't
+   create if they generated a proper URL.
 
 
 5.5.0
diff --git a/lib/WebGUI/Forum/UI.pm b/lib/WebGUI/Forum/UI.pm
index df072b6eb..3bad2e73b 100644
--- a/lib/WebGUI/Forum/UI.pm
+++ b/lib/WebGUI/Forum/UI.pm
@@ -1921,7 +1921,7 @@ sub www_postSave {
 	}
 	if ($session{form}{forumPostId} > 0) { # edit
 		my $post = WebGUI::Forum::Post->new($session{form}{forumPostId});
-		return WebGUI::Privilege::insufficient unless ($post->getThread->getForum->canPost);
+		return WebGUI::Privilege::insufficient unless ($post->canEdit);
 		if ($post->getThread->getForum->get("addEditStampToPosts")) {
 			$postData{message} .= "\n\n --- (".WebGUI::International::get(1029)." "
                         .WebGUI::DateTime::epochToHuman(WebGUI::DateTime::time())." ".WebGUI::International::get(1030)