From ea3d3e9e9c03ccff2e37e4b8677865828d5b9971 Mon Sep 17 00:00:00 2001
From: Doug Bell <doug@plainblack.com>
Date: Fri, 13 Jun 2008 20:16:48 +0000
Subject: [PATCH] fixed: Security issue in CS RSS feeds

---
 docs/changelog/7.x.x.txt          | 1 +
 lib/WebGUI/Asset/RSSFromParent.pm | 1 +
 2 files changed, 2 insertions(+)

diff --git a/docs/changelog/7.x.x.txt b/docs/changelog/7.x.x.txt
index d381e4d59..c7f5c26dc 100644
--- a/docs/changelog/7.x.x.txt
+++ b/docs/changelog/7.x.x.txt
@@ -3,6 +3,7 @@
  - fixed: Product Variants not saving SKU
  - fixed: Shop Payment Methods
  - fixed: Syndicated Content asset makes template engine choke
+ - fixed: Security issue in CS RSS feeds
  - fixed: Asset Manager breaks when an asset is locked
  - fixed: Asset Manager is slow to load
  - fixed: project management application unable to add or edit tasks.
diff --git a/lib/WebGUI/Asset/RSSFromParent.pm b/lib/WebGUI/Asset/RSSFromParent.pm
index 4e6876357..dfd1c9e0c 100644
--- a/lib/WebGUI/Asset/RSSFromParent.pm
+++ b/lib/WebGUI/Asset/RSSFromParent.pm
@@ -96,6 +96,7 @@ sub www_view {
 	my $self = shift;
 	return '' unless $self->session->asset->getId eq $self->getId;
 	return '' unless $self->getParent->isa('WebGUI::Asset::RSSCapable');
+        return '' unless $self->getParent->canView; # Go to parent for auth
 	my $parent = $self->getParent;
 	my $template = WebGUI::Asset::Template->new($self->session, $parent->get('rssCapableRssTemplateId'));
 	$template->prepare;