diff options
author | Mario <mario@mariovavti.com> | 2023-11-16 15:57:03 +0000 |
---|---|---|
committer | Mario <mario@mariovavti.com> | 2023-11-16 15:57:03 +0000 |
commit | eadf83d61b68f3e01bb797d16a058b3566619f95 (patch) | |
tree | 94d8a9903283f18305ba0410c0c3da360eac3942 /Zotlabs/Module | |
parent | 3c20231aadab1c8a687469f8f5d67248a2798e1a (diff) | |
download | volse-hubzilla-eadf83d61b68f3e01bb797d16a058b3566619f95.tar.gz volse-hubzilla-eadf83d61b68f3e01bb797d16a058b3566619f95.tar.bz2 volse-hubzilla-eadf83d61b68f3e01bb797d16a058b3566619f95.zip |
work around a possible privacy mismatch when processing zot requests
Diffstat (limited to 'Zotlabs/Module')
-rw-r--r-- | Zotlabs/Module/Item.php | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/Zotlabs/Module/Item.php b/Zotlabs/Module/Item.php index b564396c9..4c6b345fb 100644 --- a/Zotlabs/Module/Item.php +++ b/Zotlabs/Module/Item.php @@ -84,7 +84,7 @@ class Item extends Controller { } observer_auth($portable_id); - $i = q("select id as item_id, uid from item where mid = '%s' $item_normal and owner_xchan = '%s' limit 1", + $i = q("select id as item_id, uid, item_private from item where mid = '%s' $item_normal and owner_xchan = '%s' limit 1", dbesc($r[0]['parent_mid']), dbesc($portable_id) ); @@ -99,7 +99,7 @@ class Item extends Controller { $sql_extra = item_permissions_sql(0); if (!$i) { - $i = q("select id as item_id, uid from item where mid = '%s' $item_normal $sql_extra order by item_wall desc limit 1", + $i = q("select id as item_id, uid, item_private from item where mid = '%s' $item_normal $sql_extra order by item_wall desc limit 1", dbesc($r[0]['parent_mid']) ); } @@ -119,9 +119,11 @@ class Item extends Controller { } $parents_str = ids_to_querystr($i, 'item_id'); + $parent_item_private = $i[0]['item_private']; - $total = q("SELECT count(*) AS count FROM item WHERE parent = %d $item_normal", - intval($parents_str) + $total = q("SELECT count(*) AS count FROM item WHERE parent = %d and item_private = %d $item_normal", + intval($parents_str), + intval($parent_item_private) ); App::set_pager_total($total[0]['count']); @@ -134,8 +136,9 @@ class Item extends Controller { as_return_and_die($i ,$chan); } else { - $items = q("SELECT item.*, item.id AS item_id FROM item WHERE item.parent = %d $item_normal ORDER BY item.id", - intval($parents_str) + $items = q("SELECT item.*, item.id AS item_id FROM item WHERE item.parent = %d and item_private = %d $item_normal ORDER BY item.id", + intval($parents_str), + intval($parent_item_private) ); xchan_query($items, true); |