From 8124a7cdc6fdab55bf996f1c817331258f2bb451 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Tue, 23 Feb 2021 17:35:26 +0000
Subject: [PATCH] Check that notes belong to the viewer

---
 webapp_person_options.py | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/webapp_person_options.py b/webapp_person_options.py
index 5c903ce9b..6459f2d45 100644
--- a/webapp_person_options.py
+++ b/webapp_person_options.py
@@ -351,12 +351,13 @@ def htmlPersonOptions(defaultTimeline: str,
                 translate['Info'] + '</button>\n'
 
         personNotes = ''
-        personNotesFilename = \
-            baseDir + '/accounts/' + nickname + '@' + domain + \
-            '/notes/' + handle + '.txt'
-        if os.path.isfile(personNotesFilename):
-            with open(personNotesFilename, 'r') as fp:
-                personNotes = fp.read()
+        if originPathStr.startswith('/' + nickname + '/'):
+            personNotesFilename = \
+                baseDir + '/accounts/' + nickname + '@' + domain + \
+                '/notes/' + handle + '.txt'
+            if os.path.isfile(personNotesFilename):
+                with open(personNotesFilename, 'r') as fp:
+                    personNotes = fp.read()
 
         optionsStr += \
             '    <br><br>' + translate['Notes'] + ': \n'