2 files changed, 19 insertions, 7 deletions

diff --git a/mediagoblin/decorators.py b/mediagoblin/decorators.py
index 2e7ad386..34a471cb 100644
--- a/mediagoblin/decorators.py
+++ b/mediagoblin/decorators.py
@@ -15,6 +15,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 
+from bson.errors import InvalidId
 from webob import exc
 
 from mediagoblin.db.util import ObjectId
@@ -65,20 +66,31 @@ def uses_pagination(controller):
     return _make_safe(wrapper, controller)
 
 
-def get_media_entry(controller):
+def get_user_media_entry(controller):
     """
     Pass in a MediaEntry based off of a url component
     """
     def wrapper(request, *args, **kwargs):
+        user = request.db.User.find_one(
+            {'username': request.matchdict['user']})
+
+        if not user:
+            return exc.HTTPNotFound()
+
         media = request.db.MediaEntry.find_one(
             {'slug': request.matchdict['media'],
-             'state': 'processed'})
+             'state': 'processed',
+             'uploader._id': user['_id']})
 
         # no media via slug?  Grab it via ObjectId
         if not media:
-            media = request.db.MediaEntry.find_one(
-                {'_id': ObjectId(request.matchdict['media']),
-                 'state': 'processed'})
+            try:
+                media = request.db.MediaEntry.find_one(
+                    {'_id': ObjectId(request.matchdict['media']),
+                     'state': 'processed',
+                     'uploader._id': user['_id']})
+            except InvalidId:
+                return exc.HTTPNotFound()
 
             # Still no media?  Okay, 404.
             if not media:
diff --git a/mediagoblin/user_pages/views.py b/mediagoblin/user_pages/views.py
index 0803749a..4a570579 100644
--- a/mediagoblin/user_pages/views.py
+++ b/mediagoblin/user_pages/views.py
@@ -18,7 +18,7 @@ from webob import Response, exc
 from mediagoblin.db.util import DESCENDING
 from mediagoblin.util import Pagination
 
-from mediagoblin.decorators import uses_pagination, get_media_entry
+from mediagoblin.decorators import uses_pagination, get_user_media_entry
 
 
 @uses_pagination
@@ -52,7 +52,7 @@ def user_home(request, page):
              'pagination': pagination}))
 
 
-@get_media_entry
+@get_user_media_entry
 def media_home(request, media):
     """'Homepage' of a MediaEntry()"""
     # Check that media uploader and user correspond.