aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorredmatrix <git@macgirvin.com>2016-05-12 16:45:49 -0700
committerredmatrix <git@macgirvin.com>2016-05-12 16:47:03 -0700
commit781716277ba382e0415e9188c252c1b79093ed6b (patch)
tree4fe0250b2825bd2ccbf89eaecebcd39328cf38cf
parent4d00c480263e857eb52dcf8d0a6f08370881c8ee (diff)
downloadvolse-hubzilla-781716277ba382e0415e9188c252c1b79093ed6b.tar.gz
volse-hubzilla-781716277ba382e0415e9188c252c1b79093ed6b.tar.bz2
volse-hubzilla-781716277ba382e0415e9188c252c1b79093ed6b.zip
SECURITY: a comment to a private post that has been edited (the comment has been edited) loses its privacy settings. This comment isn't visible in the stream but may be visible in feeds.
-rw-r--r--include/zot.php10
1 files changed, 10 insertions, 0 deletions
diff --git a/include/zot.php b/include/zot.php
index 157354afa..8adc74ffa 100644
--- a/include/zot.php
+++ b/include/zot.php
@@ -1953,6 +1953,16 @@ function remove_community_tag($sender, $arr, $uid) {
*/
function update_imported_item($sender, $item, $orig, $uid) {
+ // If this is a comment being updated, remove any privacy information
+ // so that item_store_update will set it from the original.
+
+ if($item['mid'] !== $item['parent_mid']) {
+ unset($item['allow_cid']);
+ unset($item['allow_gid']);
+ unset($item['deny_cid']);
+ unset($item['deny_gid']);
+ unset($item['item_private']);
+ }
$x = item_store_update($item);