aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2019-04-05 16:46:52 -0700
committerzotlabs <mike@macgirvin.com>2019-04-05 16:46:52 -0700
commit5a46f1229d9ba88d8887d4c41f0253d1c0bc6c98 (patch)
tree69fb31b086cfbfe6ff3a2c55408a3cbd13a4e62d
parentb2bdc73164f7ede118febf823f729e57e7f4950f (diff)
downloadvolse-hubzilla-5a46f1229d9ba88d8887d4c41f0253d1c0bc6c98.tar.gz
volse-hubzilla-5a46f1229d9ba88d8887d4c41f0253d1c0bc6c98.tar.bz2
volse-hubzilla-5a46f1229d9ba88d8887d4c41f0253d1c0bc6c98.zip
security: perms_pending not evaluated correctly
-rw-r--r--include/permissions.php6
1 files changed, 3 insertions, 3 deletions
diff --git a/include/permissions.php b/include/permissions.php
index 115d96eca..1dcd6accb 100644
--- a/include/permissions.php
+++ b/include/permissions.php
@@ -192,7 +192,7 @@ function get_all_perms($uid, $observer_xchan, $check_siteblock = true, $default_
// They are in your address book, but haven't been approved
- if($channel_perm & PERMS_PENDING) {
+ if($channel_perm & PERMS_PENDING && (! intval($x[0]['abook_pseudo']))) {
$ret[$perm_name] = true;
continue;
}
@@ -316,6 +316,7 @@ function perm_is_allowed($uid, $observer_xchan, $permission, $check_siteblock =
if(! $x) {
// not in address book and no guest token, see if they've got an xchan
+
$y = q("select xchan_network from xchan where xchan_hash = '%s' limit 1",
dbesc($observer_xchan)
);
@@ -327,7 +328,6 @@ function perm_is_allowed($uid, $observer_xchan, $permission, $check_siteblock =
}
$abperms = load_abconfig($uid,$observer_xchan,'my_perms');
}
-
// system is blocked to anybody who is not authenticated
@@ -382,7 +382,7 @@ function perm_is_allowed($uid, $observer_xchan, $permission, $check_siteblock =
// They are in your address book, but haven't been approved
- if($channel_perm & PERMS_PENDING) {
+ if($channel_perm & PERMS_PENDING && (! intval($x[0]['abook_pseudo']))) {
return true;
}