From a65f512fa3af49901c831006d483ca6f7cac618e Mon Sep 17 00:00:00 2001
From: Raphael <raphael@joindiaspora.com>
Date: Thu, 26 Aug 2010 11:29:06 -0700
Subject: [PATCH] verify post creator signature in receive

---
 app/models/comment.rb | 2 +-
 app/models/user.rb    | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/models/comment.rb b/app/models/comment.rb
index 50e970d8a..ce119f62c 100644
--- a/app/models/comment.rb
+++ b/app/models/comment.rb
@@ -64,7 +64,7 @@ class Comment
     else
       Rails.logger.warn "Received comment has no person"
     end
-    verify_signature(creator_signature, person) && verify_signature(post_creator_signature, post.person)
+    verify_signature(creator_signature, person) 
   end
   
   protected
diff --git a/app/models/user.rb b/app/models/user.rb
index 409e964e3..a825864ed 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -195,6 +195,7 @@ class User
       person.save  
 
     elsif object.is_a?(Comment) 
+      raise "Signature was not valid on: #{object.inspect}" unless post.person == self || object.verify_post_creator_signature
       dispatch_comment object unless owns?(object)
       object.socket_to_uid(id)  if (object.respond_to?(:socket_to_uid) && !self.owns?(object))
     else