better fix for #629 #635 based on ownership/authorship rather than message flags which could be forged

1 files changed, 10 insertions, 2 deletions

diff --git a/include/zot.php b/include/zot.php
index 77843c35b..d4e75fe91 100644
--- a/include/zot.php
+++ b/include/zot.php
@@ -1777,7 +1777,7 @@ function process_delivery($sender, $arr, $deliveries, $relay, $public = false, $
 					$result[] = $DR->get();
 				}
 				else {
-					update_imported_item($sender,$arr,$r[0],$channel['channel_id']);
+					update_imported_item($sender,$arr,$r[0],$channel['channel_id'],$tag_delivery);
 					$DR->update('updated');
 					$result[] = $DR->get();
 					if(! $relay)
@@ -1925,7 +1925,7 @@ function remove_community_tag($sender, $arr, $uid) {
  * @param int $uid
  */
 
-function update_imported_item($sender, $item, $orig, $uid) {
+function update_imported_item($sender, $item, $orig, $uid, $tag_delivery) {
 
 	// If this is a comment being updated, remove any privacy information
 	// so that item_store_update will set it from the original.
@@ -1938,6 +1938,14 @@ function update_imported_item($sender, $item, $orig, $uid) {
 		unset($item['item_private']);
 	}
 
+	// we need the tag_delivery check for downstream flowing posts as the stored post 
+	// may have a different owner than the one being transmitted. 
+
+	if(($sender['hash'] != $orig['owner_xchan'] && $sender['hash'] != $orig['author_xchan']) && (! $tag_delivery)) {
+		notice('sender is not owner or author');
+		return;
+	}
+
 	$x = item_store_update($item);
 
 	// If we're updating an event that we've saved locally, we store the item info first