aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2013-09-04 23:15:53 -0700
committerfriendica <info@friendica.com>2013-09-04 23:15:53 -0700
commitf1d875c3e181ce02020830ed9e40b0ffb38ccc85 (patch)
tree5a3c07fe3d3fa8601bb2cc9ab46ffe4f00c3ec10 /include
parenta88437a1ef75c688e36788c70e53c02e873e9740 (diff)
downloadvolse-hubzilla-f1d875c3e181ce02020830ed9e40b0ffb38ccc85.tar.gz
volse-hubzilla-f1d875c3e181ce02020830ed9e40b0ffb38ccc85.tar.bz2
volse-hubzilla-f1d875c3e181ce02020830ed9e40b0ffb38ccc85.zip
issue #59 - this is a real bugger. Might seem fixed but read the code. This could potentially create a security/permissions issue
Diffstat (limited to 'include')
-rwxr-xr-xinclude/items.php9
1 files changed, 7 insertions, 2 deletions
diff --git a/include/items.php b/include/items.php
index c15bf8205..a2300c2e0 100755
--- a/include/items.php
+++ b/include/items.php
@@ -2010,8 +2010,13 @@ function tag_deliver($uid,$item_id) {
intval($item['parent']),
intval($uid)
);
- if(($x) && ($x[0]['item_flags'] & ITEM_UPLINK) && ($x[0]['author_xchan'] == $item['author_xchan'])) {
- logger('tag_deliver: creating second delivery chain for owner comment.');
+
+// issue #59
+// FIXME - check security on post and allowed senders, right now we just allow it. The author *may* be foreign and the original owner is lost on our copy of the post. So this could be very hard to verify. For instance what happens if the top-level post was a wall-to-wall?
+// if(($x) && ($x[0]['item_flags'] & ITEM_UPLINK) && ($x[0]['author_xchan'] == $item['author_xchan'])) {
+ if(($x) && ($x[0]['item_flags'] & ITEM_UPLINK)) {
+// logger('tag_deliver: creating second delivery chain for owner comment.');
+ logger('tag_deliver: creating second delivery chain for comment to tagged post.');
// now change this copy of the post to a forum head message and deliver to all the tgroup members
// also reset all the privacy bits to the forum default permissions