aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs/Module
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2017-03-12 21:55:24 -0700
committerzotlabs <mike@macgirvin.com>2017-03-12 21:55:24 -0700
commitfc533107ed49735aad5ba39bf02b87ed7ac870b6 (patch)
tree9122edfb24f8d24d5baf1f024d9715e895cff3d1 /Zotlabs/Module
parent1ee76cb5066870db9ea427e00e5c18edfb292496 (diff)
downloadvolse-hubzilla-fc533107ed49735aad5ba39bf02b87ed7ac870b6.tar.gz
volse-hubzilla-fc533107ed49735aad5ba39bf02b87ed7ac870b6.tar.bz2
volse-hubzilla-fc533107ed49735aad5ba39bf02b87ed7ac870b6.zip
better handling of mimetype security
Diffstat (limited to 'Zotlabs/Module')
-rw-r--r--Zotlabs/Module/Editwebpage.php2
-rw-r--r--Zotlabs/Module/Item.php23
2 files changed, 7 insertions, 18 deletions
diff --git a/Zotlabs/Module/Editwebpage.php b/Zotlabs/Module/Editwebpage.php
index 3d4af107d..97f4a32ff 100644
--- a/Zotlabs/Module/Editwebpage.php
+++ b/Zotlabs/Module/Editwebpage.php
@@ -130,8 +130,6 @@ class Editwebpage extends \Zotlabs\Web\Controller {
$layout = $itm[0]['layout_mid'];
- $tpl = get_markup_template("jot.tpl");
-
$rp = 'webpages/' . $which;
$x = array(
diff --git a/Zotlabs/Module/Item.php b/Zotlabs/Module/Item.php
index 4725ecb38..afac1542d 100644
--- a/Zotlabs/Module/Item.php
+++ b/Zotlabs/Module/Item.php
@@ -480,22 +480,13 @@ class Item extends \Zotlabs\Web\Controller {
$execflag = false;
- if($mimetype !== 'text/bbcode') {
- $z = q("select account_id, account_roles, channel_pageflags from account left join channel on channel_account_id = account_id where channel_id = %d limit 1",
- intval($profile_uid)
- );
- if($z && (($z[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE) || ($z[0]['channel_pageflags'] & PAGE_ALLOWCODE))) {
- if($uid && (get_account_id() == $z[0]['account_id'])) {
- $execflag = true;
- }
- else {
- notice( t('Executable content type not permitted to this channel.') . EOL);
- if($api_source)
- return ( [ 'success' => false, 'message' => 'forbidden content type' ] );
- if(x($_REQUEST,'return'))
- goaway(z_root() . "/" . $return_path );
- killme();
- }
+ $z = q("select account_id, account_roles, channel_pageflags from account left join channel on channel_account_id = account_id
+ where channel_id = %d limit 1",
+ intval($profile_uid)
+ );
+ if($z && (($z[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE) || ($z[0]['channel_pageflags'] & PAGE_ALLOWCODE))) {
+ if($uid && (intval(get_account_id()) == intval($z[0]['account_id']))) {
+ $execflag = true;
}
}