From e5198a9dc6444dd62ef8c9977947e59d325ea7b9 Mon Sep 17 00:00:00 2001
From: JT Smith <jt@plainblack.com>
Date: Sun, 16 Nov 2003 18:53:50 +0000
Subject: [PATCH] fixed bug [ 841194 ] denied post security problem

---
 docs/changelog/5.x.x.txt | 1 +
 lib/WebGUI/Forum/UI.pm   | 9 ++++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/docs/changelog/5.x.x.txt b/docs/changelog/5.x.x.txt
index f169a4659..ebb21981b 100644
--- a/docs/changelog/5.x.x.txt
+++ b/docs/changelog/5.x.x.txt
@@ -22,6 +22,7 @@
  - Fixed bug [ 832284 ] Pagination broken in Messageboard with Search
  - Fixed bug [ 838091 ] Read-Only Forum User Cannot Subscribe
  - Fixed bug [ 839524 ] Editing forum settings defaults all template names
+ - Fixed bug [ 841194 ] denied post security problem
  
 
 5.5.0
diff --git a/lib/WebGUI/Forum/UI.pm b/lib/WebGUI/Forum/UI.pm
index 497a891ac..ee9ee002d 100644
--- a/lib/WebGUI/Forum/UI.pm
+++ b/lib/WebGUI/Forum/UI.pm
@@ -1266,6 +1266,9 @@ sub getThreadTemplateVars {
 	my $callback = $caller->{callback};
         $post->markRead($session{user}{userId});
         my $thread = $post->getThread;
+	if (($post->get("status") eq "denied" && $session{user}{userId} != $post->get("userId")) || $post->get("status") eq "deleted") {
+		$post = $thread->getPost($thread->get("rootPostId"));
+	}
         my $forum = $thread->getForum;
         my $var = getPostTemplateVars($post, $thread, $forum, $caller);
         my $root = WebGUI::Forum::Post->new($thread->get("rootPostId"));
@@ -2289,7 +2292,11 @@ sub www_viewThread {
 	$postId = $session{form}{forumPostId} unless ($postId);
         my $post = WebGUI::Forum::Post->new($postId);
 	my $var = getThreadTemplateVars($caller, $post);
-	return WebGUI::Template::process(WebGUI::Template::get($post->getThread->getForum->get("threadTemplateId"),"Forum/Thread"), $var); 
+	if (($post->get("forumPostId") == $post->getThread->get("rootPostId") && $post->get("status") eq "denied" && $session{user}{userId} != $post->get("userId")) || $post->get("status") eq "deleted") {
+		return www_viewForum($caller, $post->getThread->getForum->get("forumId"));
+	} else {	
+		return WebGUI::Template::process(WebGUI::Template::get($post->getThread->getForum->get("threadTemplateId"),"Forum/Thread"), $var); 
+	}
 }