aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs/Module
diff options
context:
space:
mode:
authorMario <mario@mariovavti.com>2023-11-16 15:57:03 +0000
committerMario <mario@mariovavti.com>2023-11-16 15:57:03 +0000
commiteadf83d61b68f3e01bb797d16a058b3566619f95 (patch)
tree94d8a9903283f18305ba0410c0c3da360eac3942 /Zotlabs/Module
parent3c20231aadab1c8a687469f8f5d67248a2798e1a (diff)
downloadvolse-hubzilla-eadf83d61b68f3e01bb797d16a058b3566619f95.tar.gz
volse-hubzilla-eadf83d61b68f3e01bb797d16a058b3566619f95.tar.bz2
volse-hubzilla-eadf83d61b68f3e01bb797d16a058b3566619f95.zip
work around a possible privacy mismatch when processing zot requests
Diffstat (limited to 'Zotlabs/Module')
-rw-r--r--Zotlabs/Module/Item.php15
1 files changed, 9 insertions, 6 deletions
diff --git a/Zotlabs/Module/Item.php b/Zotlabs/Module/Item.php
index b564396c9..4c6b345fb 100644
--- a/Zotlabs/Module/Item.php
+++ b/Zotlabs/Module/Item.php
@@ -84,7 +84,7 @@ class Item extends Controller {
}
observer_auth($portable_id);
- $i = q("select id as item_id, uid from item where mid = '%s' $item_normal and owner_xchan = '%s' limit 1",
+ $i = q("select id as item_id, uid, item_private from item where mid = '%s' $item_normal and owner_xchan = '%s' limit 1",
dbesc($r[0]['parent_mid']),
dbesc($portable_id)
);
@@ -99,7 +99,7 @@ class Item extends Controller {
$sql_extra = item_permissions_sql(0);
if (!$i) {
- $i = q("select id as item_id, uid from item where mid = '%s' $item_normal $sql_extra order by item_wall desc limit 1",
+ $i = q("select id as item_id, uid, item_private from item where mid = '%s' $item_normal $sql_extra order by item_wall desc limit 1",
dbesc($r[0]['parent_mid'])
);
}
@@ -119,9 +119,11 @@ class Item extends Controller {
}
$parents_str = ids_to_querystr($i, 'item_id');
+ $parent_item_private = $i[0]['item_private'];
- $total = q("SELECT count(*) AS count FROM item WHERE parent = %d $item_normal",
- intval($parents_str)
+ $total = q("SELECT count(*) AS count FROM item WHERE parent = %d and item_private = %d $item_normal",
+ intval($parents_str),
+ intval($parent_item_private)
);
App::set_pager_total($total[0]['count']);
@@ -134,8 +136,9 @@ class Item extends Controller {
as_return_and_die($i ,$chan);
}
else {
- $items = q("SELECT item.*, item.id AS item_id FROM item WHERE item.parent = %d $item_normal ORDER BY item.id",
- intval($parents_str)
+ $items = q("SELECT item.*, item.id AS item_id FROM item WHERE item.parent = %d and item_private = %d $item_normal ORDER BY item.id",
+ intval($parents_str),
+ intval($parent_item_private)
);
xchan_query($items, true);