aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorzottel <github@zottel.net>2014-01-09 16:06:33 +0100
committerzottel <github@zottel.net>2014-01-09 16:06:33 +0100
commita517a27d53cc3eb29c004279c73de84f764574aa (patch)
treefad03f9a2ed379d9754987ccc043dd7de1aa5cfa
parent5d83855afdd4ebf770462de7520e72ffb9c6c1c2 (diff)
downloadvolse-hubzilla-a517a27d53cc3eb29c004279c73de84f764574aa.tar.gz
volse-hubzilla-a517a27d53cc3eb29c004279c73de84f764574aa.tar.bz2
volse-hubzilla-a517a27d53cc3eb29c004279c73de84f764574aa.zip
fix a bug that made it possible for everyone to access any message from other
channels using channel/<channel>/?mid=...
-rw-r--r--mod/channel.php26
1 files changed, 26 insertions, 0 deletions
diff --git a/mod/channel.php b/mod/channel.php
index 205a89fa3..27f1cbdc6 100644
--- a/mod/channel.php
+++ b/mod/channel.php
@@ -138,6 +138,17 @@ function channel_content(&$a, $update = 0, $load = false) {
$r = q("SELECT parent AS item_id from item where mid = '%s' limit 1",
dbesc($mid)
);
+logger("update ");
+ if ($r) {
+ // make sure we don't show other people's posts from our matrix
+ $parent = q("SELECT owner_xchan from item where id = %d",
+ dbesc($r[0]['item_id'])
+ );
+logger("update ");
+logger($parent);
+ if ($parent['owner_xchan'] != $a->profile['channel_hash'])
+ $r = array();
+ }
} else {
$r = q("SELECT distinct parent AS `item_id` from item
left join abook on item.author_xchan = abook.abook_xchan
@@ -177,6 +188,7 @@ function channel_content(&$a, $update = 0, $load = false) {
$r = q("SELECT parent AS item_id from item where mid = '%s' limit 1",
dbesc($mid)
);
+logger("load ");
} else {
$r = q("SELECT distinct id AS item_id FROM item
left join abook on item.author_xchan = abook.abook_xchan
@@ -197,6 +209,20 @@ function channel_content(&$a, $update = 0, $load = false) {
}
}
+ if ($mid && $r) {
+ // make sure we don't show other people's posts from our matrix
+ // as $a->profile['channel_hash'] isn't set when a JS query comes in
+ // we have to do that with a join
+ $ismine = q("SELECT * from item
+ join channel on item.owner_xchan = channel.channel_hash
+ where item.id = %d and channel.channel_id = %d",
+ dbesc($r[0]['item_id']),
+ intval($a->profile['profile_uid'])
+ );
+ if (!$ismine)
+ $r = array();
+ }
+
if($r) {
$parents_str = ids_to_querystr($r,'item_id');