check for correct page_owner to prevent unwanted access to the page

2 files changed, 14 insertions, 4 deletions

diff --git a/mod/messages/pages/messages/inbox.php b/mod/messages/pages/messages/inbox.php
index fdfc20c43..de5b8b231 100644
--- a/mod/messages/pages/messages/inbox.php
+++ b/mod/messages/pages/messages/inbox.php
@@ -8,8 +8,13 @@
 gatekeeper();
 
 $page_owner = elgg_get_page_owner_entity();
-if (!$page_owner) {
-	register_error(elgg_echo());
+
+if (!$page_owner || !$page_owner->canEdit()) {
+	$guid = 0;
+	if($page_owner){
+		$guid = $page_owner->getGUID();
+	}
+	register_error(elgg_echo("pageownerunavailable", array($guid)));
 	forward();
 }
 
diff --git a/mod/messages/pages/messages/sent.php b/mod/messages/pages/messages/sent.php
index af06ab273..3d08cd5ee 100644
--- a/mod/messages/pages/messages/sent.php
+++ b/mod/messages/pages/messages/sent.php
@@ -8,8 +8,13 @@
 gatekeeper();
 
 $page_owner = elgg_get_page_owner_entity();
-if (!$page_owner) {
-	register_error(elgg_echo());
+
+if (!$page_owner || !$page_owner->canEdit()) {
+	$guid = 0;
+	if($page_owner){
+		$guid = $page_owner->getGUID();
+	}
+	register_error(elgg_echo("pageownerunavailable", array($guid)));
 	forward();
 }