diff options
author | zotlabs <mike@macgirvin.com> | 2019-04-05 16:46:52 -0700 |
---|---|---|
committer | zotlabs <mike@macgirvin.com> | 2019-04-05 16:46:52 -0700 |
commit | 5a46f1229d9ba88d8887d4c41f0253d1c0bc6c98 (patch) | |
tree | 69fb31b086cfbfe6ff3a2c55408a3cbd13a4e62d /include | |
parent | b2bdc73164f7ede118febf823f729e57e7f4950f (diff) | |
download | volse-hubzilla-5a46f1229d9ba88d8887d4c41f0253d1c0bc6c98.tar.gz volse-hubzilla-5a46f1229d9ba88d8887d4c41f0253d1c0bc6c98.tar.bz2 volse-hubzilla-5a46f1229d9ba88d8887d4c41f0253d1c0bc6c98.zip |
security: perms_pending not evaluated correctly
Diffstat (limited to 'include')
-rw-r--r-- | include/permissions.php | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/include/permissions.php b/include/permissions.php index 115d96eca..1dcd6accb 100644 --- a/include/permissions.php +++ b/include/permissions.php @@ -192,7 +192,7 @@ function get_all_perms($uid, $observer_xchan, $check_siteblock = true, $default_ // They are in your address book, but haven't been approved - if($channel_perm & PERMS_PENDING) { + if($channel_perm & PERMS_PENDING && (! intval($x[0]['abook_pseudo']))) { $ret[$perm_name] = true; continue; } @@ -316,6 +316,7 @@ function perm_is_allowed($uid, $observer_xchan, $permission, $check_siteblock = if(! $x) { // not in address book and no guest token, see if they've got an xchan + $y = q("select xchan_network from xchan where xchan_hash = '%s' limit 1", dbesc($observer_xchan) ); @@ -327,7 +328,6 @@ function perm_is_allowed($uid, $observer_xchan, $permission, $check_siteblock = } $abperms = load_abconfig($uid,$observer_xchan,'my_perms'); } - // system is blocked to anybody who is not authenticated @@ -382,7 +382,7 @@ function perm_is_allowed($uid, $observer_xchan, $permission, $check_siteblock = // They are in your address book, but haven't been approved - if($channel_perm & PERMS_PENDING) { + if($channel_perm & PERMS_PENDING && (! intval($x[0]['abook_pseudo']))) { return true; } |