Merge pull request #261 from zzottel/master

add security fix to load case, too

1 files changed, 9 insertions, 3 deletions

diff --git a/mod/channel.php b/mod/channel.php
index dac4ba2bf..a936650f3 100644
--- a/mod/channel.php
+++ b/mod/channel.php
@@ -141,6 +141,9 @@ function channel_content(&$a, $update = 0, $load = false) {
 				intval($a->profile['profile_uid']),
 				intval(ITEM_WALL)
 			);
+			if (! $r) {
+				notice( t('Permission denied.') . EOL);
+			}
 		} else {
 			$r = q("SELECT distinct parent AS `item_id` from item
 				left join abook on item.author_xchan = abook.abook_xchan
@@ -177,11 +180,14 @@ function channel_content(&$a, $update = 0, $load = false) {
 
 		if($load || ($_COOKIE['jsAvailable'] != 1)) {
 			if ($mid) {
-				$r = q("SELECT parent AS item_id from item where mid = '%s' limit 1",
-					dbesc($mid)
+				$r = q("SELECT parent AS item_id from item where mid = '%s' and uid = %d AND item_restrict = 0
+					AND (item_flags &  %d) $sql_extra limit 1",
+					dbesc($mid),
+					intval($a->profile['profile_uid']),
+					intval(ITEM_WALL)
 				);
 				if (! $r) {
-					notice( t('Item not found.') . EOL);
+					notice( t('Permission denied.') . EOL);
 				}
 
 			} else {