fix webpage perms

3 files changed, 12 insertions, 3 deletions

diff --git a/include/conversation.php b/include/conversation.php
index 5ae2250a8..19c5bda14 100644
--- a/include/conversation.php
+++ b/include/conversation.php
@@ -1637,7 +1637,7 @@ function profile_tabs($a, $is_owner = false, $nickname = null){
 		);
 	}
 
-	if ($is_owner && feature_enabled($uid,'webpages')) {
+	if ($p['write_pages'] && feature_enabled($uid,'webpages')) {
 		$tabs[] = array(
 			'label' => t('Webpages'),
 			'url'   => $a->get_baseurl() . '/webpages/' . $nickname,
diff --git a/mod/editwebpage.php b/mod/editwebpage.php
index a7564a126..a1918741b 100644
--- a/mod/editwebpage.php
+++ b/mod/editwebpage.php
@@ -90,11 +90,18 @@ function editwebpage_content(&$a) {
 	// We've already figured out which item we want and whose copy we need, 
 	// so we don't need anything fancy here
 
-	$itm = q("SELECT * FROM `item` WHERE `id` = %d and uid = %s LIMIT 1",
+	$sql_extra = item_permissions_sql($owner);
+
+	$itm = q("SELECT * FROM `item` WHERE `id` = %d and uid = %s $sql_extra LIMIT 1",
 		intval($post_id),
 		intval($owner)
 	);
 
+	if(! $itm) {
+		notice( t('Permission denied.') . EOL);
+		return;
+	}
+
 	if($itm[0]['item_flags'] & ITEM_OBSCURED) {
 		$key = get_config('system','prvkey');
 		if($itm[0]['title'])
diff --git a/mod/webpages.php b/mod/webpages.php
index 615969d78..44b4ee561 100644
--- a/mod/webpages.php
+++ b/mod/webpages.php
@@ -131,8 +131,10 @@ function webpages_content(&$a) {
 	// so just list titles and an edit link.
 	/** @TODO - this should be replaced with pagelist_widget */
 
+	$sql_extra = item_permissions_sql($owner);
+
 	$r = q("select * from item_id left join item on item_id.iid = item.id 
-		where item_id.uid = %d and service = 'WEBPAGE' order by item.created desc",
+		where item_id.uid = %d and service = 'WEBPAGE' $sql_extra order by item.created desc",
 		intval($owner)
 	);