Merge branch 'dev' into 'dev'

security: perms_pending not evaluated correctly

See merge request hubzilla/core!1583

1 files changed, 3 insertions, 3 deletions

diff --git a/include/permissions.php b/include/permissions.php
index 115d96eca..1dcd6accb 100644
--- a/include/permissions.php
+++ b/include/permissions.php
@@ -192,7 +192,7 @@ function get_all_perms($uid, $observer_xchan, $check_siteblock = true, $default_
 
 		// They are in your address book, but haven't been approved
 
-		if($channel_perm & PERMS_PENDING) {
+		if($channel_perm & PERMS_PENDING && (! intval($x[0]['abook_pseudo']))) {
 			$ret[$perm_name] = true;
 			continue;
 		}
@@ -316,6 +316,7 @@ function perm_is_allowed($uid, $observer_xchan, $permission, $check_siteblock =
 
 			if(! $x) {
 				// not in address book and no guest token, see if they've got an xchan
+
 				$y = q("select xchan_network from xchan where xchan_hash = '%s' limit 1",
 					dbesc($observer_xchan)
 				);
@@ -327,7 +328,6 @@ function perm_is_allowed($uid, $observer_xchan, $permission, $check_siteblock =
 		}
 		$abperms = load_abconfig($uid,$observer_xchan,'my_perms');
 	}
-	
 
 	// system is blocked to anybody who is not authenticated
 
@@ -382,7 +382,7 @@ function perm_is_allowed($uid, $observer_xchan, $permission, $check_siteblock =
 
 	// They are in your address book, but haven't been approved
 
-	if($channel_perm & PERMS_PENDING) {
+	if($channel_perm & PERMS_PENDING && (! intval($x[0]['abook_pseudo']))) {
 		return true;
 	}