diff options
| author | zotlabs <mike@macgirvin.com> | 2017-03-13 16:19:47 -0700 |
|---|---|---|
| committer | zotlabs <mike@macgirvin.com> | 2017-03-13 16:19:47 -0700 |
| commit | 58aa0f3e1a52a0c20016a4330100231ad505e6e4 (patch) | |
| tree | a599768b88ac95a8c8bc395371b249dd5ab518d4 /include/channel.php | |
| parent | 02b390d7b867750aa466f912a8e1024d35ebf4e8 (diff) | |
| download | volse-hubzilla-58aa0f3e1a52a0c20016a4330100231ad505e6e4.tar.gz volse-hubzilla-58aa0f3e1a52a0c20016a4330100231ad505e6e4.tar.bz2 volse-hubzilla-58aa0f3e1a52a0c20016a4330100231ad505e6e4.zip | |
code_allowed is a real mess. Start the cleanup by remving the account level code allow and limiting to specific channels only. This reduces the possibility of cross channel security issues coming into play. Then provide a single function for checking the code permission. This is only partially done as we often need to check against the observer or logged in channel as well as the resource owner to ensure that this only returns true for local channels which also own the requested resource.
Diffstat (limited to 'include/channel.php')
| -rw-r--r-- | include/channel.php | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/include/channel.php b/include/channel.php index b838f8393..ceb5eeb7a 100644 --- a/include/channel.php +++ b/include/channel.php @@ -2252,3 +2252,20 @@ function channel_remove($channel_id, $local = true, $unset_session=false) { } } + +/* + * This checks if a channel is allowed to publish executable code. + * It is up to the caller to determine if the observer or local_channel + * is in fact the resource owner whose channel_id is being checked + */ + +function channel_codeallowed($channel_id) { + + if(! intval($channel_id)) + return false; + + $x = channelx_by_n($channel_id); + if(($x) && ($x['channel_pageflags'] & PAGE_ALLOWCODE)) + return true; + return false; +}
\ No newline at end of file |