From: Magnus Hagander <magnus@hagander.net>
Date: Sat, 13 Jul 2019 17:05:33 +0000 (+0200)
Subject: Ensure permissions check on "resend complete"
X-Git-Url: http://git.postgresql.org/gitweb/static/gitweb.js?a=commitdiff_plain;h=b0cd552372493f4527604ab800f81e8ceff57045;p=pgarchives.git

Ensure permissions check on "resend complete"

This page just says the resend has completed, but a user having the
messageid but subscribed to a *different* list on the same server could
leak the existance of the email.
---

diff --git a/django/archives/mailarchives/views.py b/django/archives/mailarchives/views.py
index 6f714da..5e01aa3 100644
--- a/django/archives/mailarchives/views.py
+++ b/django/archives/mailarchives/views.py
@@ -675,6 +675,10 @@ def resend_complete(request, messageid):
     if m.hiddenstatus:
         raise PermissionDenied("Access denied.")
 
+    ensure_message_permissions(request, m.messageid)
+    if m.hiddenstatus:
+        raise PermissionDenied("Access denied.")
+
     lists = List.objects.extra(where=["listid IN (SELECT listid FROM list_threads WHERE threadid=%s)" % m.threadid]).order_by('listname')
 
     return render_nav(NavContext(request, lists[0].listid, lists[0].listname), 'resend_complete.html', {