diff options
| author | zotlabs <mike@macgirvin.com> | 2019-04-05 23:46:52 +0000 |
|---|---|---|
| committer | Mario <mario@mariovavti.com> | 2019-04-06 10:30:32 +0200 |
| commit | a93bd8d944f8b4e35aa27ca417a4e6831f8dd7b5 (patch) | |
| tree | 6322a8d829bf5e34c1a0ee8f6a2944ec0c3a3014 | |
| parent | 33ac85f637be3c7888142d175d822e14d7cb6bd2 (diff) | |
| download | volse-hubzilla-a93bd8d944f8b4e35aa27ca417a4e6831f8dd7b5.tar.gz volse-hubzilla-a93bd8d944f8b4e35aa27ca417a4e6831f8dd7b5.tar.bz2 volse-hubzilla-a93bd8d944f8b4e35aa27ca417a4e6831f8dd7b5.zip | |
security: perms_pending not evaluated correctly
(cherry picked from commit 5a46f1229d9ba88d8887d4c41f0253d1c0bc6c98)
| -rw-r--r-- | include/permissions.php | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/include/permissions.php b/include/permissions.php index 115d96eca..1dcd6accb 100644 --- a/include/permissions.php +++ b/include/permissions.php @@ -192,7 +192,7 @@ function get_all_perms($uid, $observer_xchan, $check_siteblock = true, $default_ // They are in your address book, but haven't been approved - if($channel_perm & PERMS_PENDING) { + if($channel_perm & PERMS_PENDING && (! intval($x[0]['abook_pseudo']))) { $ret[$perm_name] = true; continue; } @@ -316,6 +316,7 @@ function perm_is_allowed($uid, $observer_xchan, $permission, $check_siteblock = if(! $x) { // not in address book and no guest token, see if they've got an xchan + $y = q("select xchan_network from xchan where xchan_hash = '%s' limit 1", dbesc($observer_xchan) ); @@ -327,7 +328,6 @@ function perm_is_allowed($uid, $observer_xchan, $permission, $check_siteblock = } $abperms = load_abconfig($uid,$observer_xchan,'my_perms'); } - // system is blocked to anybody who is not authenticated @@ -382,7 +382,7 @@ function perm_is_allowed($uid, $observer_xchan, $permission, $check_siteblock = // They are in your address book, but haven't been approved - if($channel_perm & PERMS_PENDING) { + if($channel_perm & PERMS_PENDING && (! intval($x[0]['abook_pseudo']))) { return true; } |