From 755922fb573556be748d7aafd4a279926ec2dc10 Mon Sep 17 00:00:00 2001
From: Frank Dillon <frank@plainblack.com>
Date: Mon, 22 May 2006 22:55:31 +0000
Subject: [PATCH] Fixed security hole where anyone could add events to anyone's
 existing badge

---
 lib/WebGUI/Asset/Wobject/EventManagementSystem.pm | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/WebGUI/Asset/Wobject/EventManagementSystem.pm b/lib/WebGUI/Asset/Wobject/EventManagementSystem.pm
index f47d5db9c..748a7397a 100644
--- a/lib/WebGUI/Asset/Wobject/EventManagementSystem.pm
+++ b/lib/WebGUI/Asset/Wobject/EventManagementSystem.pm
@@ -2167,6 +2167,10 @@ sub www_addEventsToBadge {
 	my $bid = $self->session->form->process('bid') || 'none';
 	my $eventId = $self->session->form->process('eventId');
 	unless ($bid eq 'none') {
+		my ($userId,$createdByUserId) = $self->session->db->quickArray("select userId, createdByUserId from EventManagementSystem_badges where badgeId=".quote($bid));
+	    unless($isAdmin || $userId eq $self->session->user->userId || $createdByUserId eq $self->session->user->userId) {
+	      return $self->session->privilege->insufficient();
+	    }
 		$self->session->scratch->set('EMS_add_purchase_badgeId',$bid);
 		my @pastEvents = $self->session->db->buildArray("select r.productId from EventManagementSystem_registrations as r, EventManagementSystem_purchases as p, transaction as t where r.returned=0 and r.badgeId=? and t.transactionId=p.transactionId and t.status='Completed' and p.purchaseId=r.purchaseId group by productId",[$bid]);
 		my $purchaseCounter = $self->session->form->process('purchaseCounter');