aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorzzottel <github@zottel.net>2014-01-10 04:39:59 -0800
committerzzottel <github@zottel.net>2014-01-10 04:39:59 -0800
commit9df143aff045748a824da15913760e1d799ec84e (patch)
tree69408d86b902c5f9438c1ff648b1c009f231fe48
parent4e9866f6b20d3747b948b2eab3f6dfb23cc884e7 (diff)
parentea511c67c7b4d67cb98a92d6e86c634e6b37dc64 (diff)
downloadvolse-hubzilla-9df143aff045748a824da15913760e1d799ec84e.tar.gz
volse-hubzilla-9df143aff045748a824da15913760e1d799ec84e.tar.bz2
volse-hubzilla-9df143aff045748a824da15913760e1d799ec84e.zip
Merge pull request #261 from zzottel/master
add security fix to load case, too
-rw-r--r--mod/channel.php12
1 files changed, 9 insertions, 3 deletions
diff --git a/mod/channel.php b/mod/channel.php
index dac4ba2bf..a936650f3 100644
--- a/mod/channel.php
+++ b/mod/channel.php
@@ -141,6 +141,9 @@ function channel_content(&$a, $update = 0, $load = false) {
intval($a->profile['profile_uid']),
intval(ITEM_WALL)
);
+ if (! $r) {
+ notice( t('Permission denied.') . EOL);
+ }
} else {
$r = q("SELECT distinct parent AS `item_id` from item
left join abook on item.author_xchan = abook.abook_xchan
@@ -177,11 +180,14 @@ function channel_content(&$a, $update = 0, $load = false) {
if($load || ($_COOKIE['jsAvailable'] != 1)) {
if ($mid) {
- $r = q("SELECT parent AS item_id from item where mid = '%s' limit 1",
- dbesc($mid)
+ $r = q("SELECT parent AS item_id from item where mid = '%s' and uid = %d AND item_restrict = 0
+ AND (item_flags & %d) $sql_extra limit 1",
+ dbesc($mid),
+ intval($a->profile['profile_uid']),
+ intval(ITEM_WALL)
);
if (! $r) {
- notice( t('Item not found.') . EOL);
+ notice( t('Permission denied.') . EOL);
}
} else {