cleanup and add comments about what we're trying to do here

2 files changed, 12 insertions, 3 deletions

diff --git a/mod/new_channel.php b/mod/new_channel.php
index 0429bbee7..07b6cfc85 100644
--- a/mod/new_channel.php
+++ b/mod/new_channel.php
@@ -64,7 +64,14 @@ function new_channel_post(&$a) {
 
 	$arr = $_POST;
 
-	if((! $a->get_account()) || ($arr['account_id'] = get_account_id()) === false) {
+	$acc = $a->get_account();
+	$arr['account_id'] = get_account_id();
+
+	// prevent execution by delegated channels as well as those not logged in. 
+	// get_account_id() returns the account_id from the session. But $a->account
+	// may point to the original authenticated account. 
+
+	if((! $acc) || ($acc['account_id'] != $arr['account_id'])) {
 		notice( t('Permission denied.') . EOL );
 		return;
 	}
@@ -95,7 +102,10 @@ function new_channel_post(&$a) {
 
 function new_channel_content(&$a) {
 
-	if(! $a->get_account()) {
+
+	$acc = $a->get_account();
+
+	if((! $acc) || $acc['account_id'] != get_account_id()) {
 		notice( t('Permission denied.') . EOL);
 		return;
 	}
diff --git a/mod/thing.php b/mod/thing.php
index 280cc194d..7c5020e62 100644
--- a/mod/thing.php
+++ b/mod/thing.php
@@ -14,7 +14,6 @@ function thing_init(&$a) {
 	if(! local_channel())
 		return;
 
-	$account_id = $a->get_account();
 	$channel    = $a->get_channel();
 
 	$term_hash = (($_REQUEST['term_hash']) ? $_REQUEST['term_hash'] : '');