don't show notices to out-of-scope viewers

actions/shownotice.php

@@ -79,7 +79,7 @@ class ShownoticeAction extends OwnerDesignAction
 
         $id = $this->arg('notice');
 
-        $this->notice = Notice::staticGet($id);
+        $this->notice = Notice::staticGet('id', $id);
 
         if (empty($this->notice)) {
             // Did we used to have it, and it got deleted?
@@ -94,6 +94,18 @@ class ShownoticeAction extends OwnerDesignAction
             return false;
         }
 
+        $cur = common_current_user();
+
+        if (!empty($cur)) {
+            $curProfile = $cur->getProfile();
+        } else {
+            $curProfile = null;
+        }
+
+        if (!$this->notice->inScope($curProfile)) {
+            throw new ClientException(_('Not available.'), 403);
+        }
+
         $this->profile = $this->notice->getProfile();
 
         if (empty($this->profile)) {