Ensure permissions check on "resend complete"

This page just says the resend has completed, but a user having the
messageid but subscribed to a *different* list on the same server could
leak the existance of the email.

diff --git a/django/archives/mailarchives/views.py b/django/archives/mailarchives/views.py
index 6f714da8356ac8261f2d192321015135d9563ec4..5e01aa358dbd567a2f7f4aa0052faf675ae1fd48 100644 (file)
--- a/django/archives/mailarchives/views.py
+++ b/django/archives/mailarchives/views.py
@@ -675,6 +675,10 @@ def resend_complete(request, messageid):
     if m.hiddenstatus:
         raise PermissionDenied("Access denied.")
 
+    ensure_message_permissions(request, m.messageid)
+    if m.hiddenstatus:
+        raise PermissionDenied("Access denied.")
+
     lists = List.objects.extra(where=["listid IN (SELECT listid FROM list_threads WHERE threadid=%s)" % m.threadid]).order_by('listname')
 
     return render_nav(NavContext(request, lists[0].listid, lists[0].listname), 'resend_complete.html', {