diff options
author | zottel <github@zottel.net> | 2014-01-09 16:06:33 +0100 |
---|---|---|
committer | zottel <github@zottel.net> | 2014-01-09 16:06:33 +0100 |
commit | a517a27d53cc3eb29c004279c73de84f764574aa (patch) | |
tree | fad03f9a2ed379d9754987ccc043dd7de1aa5cfa | |
parent | 5d83855afdd4ebf770462de7520e72ffb9c6c1c2 (diff) | |
download | volse-hubzilla-a517a27d53cc3eb29c004279c73de84f764574aa.tar.gz volse-hubzilla-a517a27d53cc3eb29c004279c73de84f764574aa.tar.bz2 volse-hubzilla-a517a27d53cc3eb29c004279c73de84f764574aa.zip |
fix a bug that made it possible for everyone to access any message from other
channels using channel/<channel>/?mid=...
-rw-r--r-- | mod/channel.php | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/mod/channel.php b/mod/channel.php index 205a89fa3..27f1cbdc6 100644 --- a/mod/channel.php +++ b/mod/channel.php @@ -138,6 +138,17 @@ function channel_content(&$a, $update = 0, $load = false) { $r = q("SELECT parent AS item_id from item where mid = '%s' limit 1", dbesc($mid) ); +logger("update "); + if ($r) { + // make sure we don't show other people's posts from our matrix + $parent = q("SELECT owner_xchan from item where id = %d", + dbesc($r[0]['item_id']) + ); +logger("update "); +logger($parent); + if ($parent['owner_xchan'] != $a->profile['channel_hash']) + $r = array(); + } } else { $r = q("SELECT distinct parent AS `item_id` from item left join abook on item.author_xchan = abook.abook_xchan @@ -177,6 +188,7 @@ function channel_content(&$a, $update = 0, $load = false) { $r = q("SELECT parent AS item_id from item where mid = '%s' limit 1", dbesc($mid) ); +logger("load "); } else { $r = q("SELECT distinct id AS item_id FROM item left join abook on item.author_xchan = abook.abook_xchan @@ -197,6 +209,20 @@ function channel_content(&$a, $update = 0, $load = false) { } } + if ($mid && $r) { + // make sure we don't show other people's posts from our matrix + // as $a->profile['channel_hash'] isn't set when a JS query comes in + // we have to do that with a join + $ismine = q("SELECT * from item + join channel on item.owner_xchan = channel.channel_hash + where item.id = %d and channel.channel_id = %d", + dbesc($r[0]['item_id']), + intval($a->profile['profile_uid']) + ); + if (!$ismine) + $r = array(); + } + if($r) { $parents_str = ids_to_querystr($r,'item_id'); |