From 20d13f4391a4dea53f801e7d9ac5668f5e6ecf77 Mon Sep 17 00:00:00 2001
From: Kimura Youichi <kim.upsilon@bucyou.net>
Date: Tue, 1 Mar 2016 18:22:03 +0900
Subject: [PATCH] fixes /community/joinList?id=* that access block is not
 considered (fixes #2636)

---
 lib/action/opCommunityAction.class.php            |  1 +
 .../pc_frontend/communityActionsTest.php          | 15 +++++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/lib/action/opCommunityAction.class.php b/lib/action/opCommunityAction.class.php
index 593c5d8aa..208372404 100644
--- a/lib/action/opCommunityAction.class.php
+++ b/lib/action/opCommunityAction.class.php
@@ -183,6 +183,7 @@ public function executeJoinlist(opWebRequest $request)
 
     $this->member = Doctrine::getTable('Member')->find($memberId);
     $this->forward404Unless($this->member);
+    $this->forward404Unless($this->member->isAllowed($this->getUser()->getMember(), 'view'));
 
     if (!$this->size)
     {
diff --git a/test/functional/pc_frontend/communityActionsTest.php b/test/functional/pc_frontend/communityActionsTest.php
index ea91a96cb..d1ab5dff8 100644
--- a/test/functional/pc_frontend/communityActionsTest.php
+++ b/test/functional/pc_frontend/communityActionsTest.php
@@ -76,6 +76,21 @@
   ->with('response')->isStatusCode(200)
 ;
 
+$user->login('sns5@example.com', 'password');
+$user
+->info('4. Testing `/community/joinList?id=*`')
+->get('/community/joinList?id=1')
+  ->info('4-1. Member E cannot view the list of communities joined by Member A (Access blocked)')
+  ->checkDispatch('community', 'joinlist')
+  ->isStatusCode(404)
+->get('/community/joinList?id=2')
+  ->info('4-2. Member E can view the list of communities joined by Member B (Normal behavior)')
+  ->checkDispatch('community', 'joinlist')
+  ->isStatusCode(200)
+  ->with('response')
+    ->checkElement('#communityList tr.text a', 5) // 5 communities
+;
+
 $user->login('sns@example.com', 'password');
 $user
   ->info('community/search')