4 files changed, 32 insertions, 1 deletions

diff --git a/src/mailman/docs/NEWS.rst b/src/mailman/docs/NEWS.rst
index 909c5365b..cf475e7de 100644
--- a/src/mailman/docs/NEWS.rst
+++ b/src/mailman/docs/NEWS.rst
@@ -58,6 +58,7 @@ Bugs
    address.  (Closes #185)
  * Fix membership query when multiple users are subscribed to a mailing list.
    Reported by Darrell Kresge.  (Closes: #190)
+ * Prevent moderation of messages held for a different list.  (Closes: #161)
 
 Configuration
 -------------
diff --git a/src/mailman/model/requests.py b/src/mailman/model/requests.py
index 83120e182..341233280 100644
--- a/src/mailman/model/requests.py
+++ b/src/mailman/model/requests.py
@@ -113,7 +113,7 @@ class ListRequests:
     @dbconnection
     def get_request(self, store, request_id, request_type=None):
         result = store.query(_Request).get(request_id)
-        if result is None:
+        if result is None or result.mailing_list != self.mailing_list:
             return None
         if request_type is not None and result.request_type != request_type:
             return None
diff --git a/src/mailman/model/tests/test_requests.py b/src/mailman/model/tests/test_requests.py
index 684d00e52..37fc2d659 100644
--- a/src/mailman/model/tests/test_requests.py
+++ b/src/mailman/model/tests/test_requests.py
@@ -74,3 +74,10 @@ Something else.
         with self.assertRaises(KeyError) as cm:
             self._requests_db.delete_request(801)
         self.assertEqual(cm.exception.args[0], 801)
+
+    def test_only_return_this_lists_requests(self):
+        # Issue #161: get_requests() returns requests that are not specific to
+        # the mailing list in question.
+        request_id = hold_message(self._mlist, self._msg)
+        bee = create_list('bee@example.com')
+        self.assertIsNone(IListRequests(bee).get_request(request_id))
diff --git a/src/mailman/rest/tests/test_moderation.py b/src/mailman/rest/tests/test_moderation.py
index c0e00a6c9..17322b618 100644
--- a/src/mailman/rest/tests/test_moderation.py
+++ b/src/mailman/rest/tests/test_moderation.py
@@ -126,6 +126,29 @@ Something else.
         self.assertEqual(content['total_size'], 1)
         self.assertEqual(content['entries'][0]['request_id'], held_id)
 
+    def test_cant_get_other_lists_holds(self):
+        # Issue #161: It was possible to moderate a held message for another
+        # list via the REST API.
+        with transaction():
+            held_id = hold_message(self._mlist, self._msg)
+            create_list('bee@example.com')
+        with self.assertRaises(HTTPError) as cm:
+            call_api('http://localhost:9001/3.0/lists/bee.example.com'
+                     '/held/{}'.format(held_id))
+        self.assertEqual(cm.exception.code, 404)
+
+    def test_cant_moderate_other_lists_holds(self):
+        # Issue #161: It was possible to moderate a held message for another
+        # list via the REST API.
+        with transaction():
+            held_id = hold_message(self._mlist, self._msg)
+            create_list('bee@example.com')
+        with self.assertRaises(HTTPError) as cm:
+            call_api('http://localhost:9001/3.0/lists/bee.example.com'
+                     '/held/{}'.format(held_id),
+                     dict(action='discard'))
+        self.assertEqual(cm.exception.code, 404)
+
 
 
 class TestSubscriptionModeration(unittest.TestCase):