aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorredmatrix <git@macgirvin.com>2016-05-12 16:45:49 -0700
committerredmatrix <git@macgirvin.com>2016-05-12 16:47:03 -0700
commit781716277ba382e0415e9188c252c1b79093ed6b (patch)
tree4fe0250b2825bd2ccbf89eaecebcd39328cf38cf /include
parent4d00c480263e857eb52dcf8d0a6f08370881c8ee (diff)
downloadvolse-hubzilla-781716277ba382e0415e9188c252c1b79093ed6b.tar.gz
volse-hubzilla-781716277ba382e0415e9188c252c1b79093ed6b.tar.bz2
volse-hubzilla-781716277ba382e0415e9188c252c1b79093ed6b.zip
SECURITY: a comment to a private post that has been edited (the comment has been edited) loses its privacy settings. This comment isn't visible in the stream but may be visible in feeds.
Diffstat (limited to 'include')
-rw-r--r--include/zot.php10
1 files changed, 10 insertions, 0 deletions
diff --git a/include/zot.php b/include/zot.php
index 157354afa..8adc74ffa 100644
--- a/include/zot.php
+++ b/include/zot.php
@@ -1953,6 +1953,16 @@ function remove_community_tag($sender, $arr, $uid) {
*/
function update_imported_item($sender, $item, $orig, $uid) {
+ // If this is a comment being updated, remove any privacy information
+ // so that item_store_update will set it from the original.
+
+ if($item['mid'] !== $item['parent_mid']) {
+ unset($item['allow_cid']);
+ unset($item['allow_gid']);
+ unset($item['deny_cid']);
+ unset($item['deny_gid']);
+ unset($item['item_private']);
+ }
$x = item_store_update($item);