diff options
| author | friendica <info@friendica.com> | 2014-01-10 00:58:53 -0800 |
|---|---|---|
| committer | friendica <info@friendica.com> | 2014-01-10 00:58:53 -0800 |
| commit | 0fef87cb43376289c39ddb0e30ee7a35fa97086d (patch) | |
| tree | 2bfd271aa66d8ee2d3c1dcce741fbf7e8ad8c473 /mod/channel.php | |
| parent | 13d0a914c7b6e053c19e34f74f6f30ed030487ae (diff) | |
| download | volse-hubzilla-0fef87cb43376289c39ddb0e30ee7a35fa97086d.tar.gz volse-hubzilla-0fef87cb43376289c39ddb0e30ee7a35fa97086d.tar.bz2 volse-hubzilla-0fef87cb43376289c39ddb0e30ee7a35fa97086d.zip | |
security fix for channel?mid= per zottel
Diffstat (limited to 'mod/channel.php')
| -rw-r--r-- | mod/channel.php | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/mod/channel.php b/mod/channel.php index 20f6fec18..dac4ba2bf 100644 --- a/mod/channel.php +++ b/mod/channel.php @@ -135,9 +135,11 @@ function channel_content(&$a, $update = 0, $load = false) { if(($update) && (! $load)) { if ($mid) { - $r = q("SELECT parent AS item_id from item where mid = '%s' and uid = %d $sql_extra limit 1", + $r = q("SELECT parent AS item_id from item where mid = '%s' and uid = %d AND item_restrict = 0 + AND (item_flags & %d) $sql_extra limit 1", dbesc($mid), - intval($a->profile['profile_uid']) + intval($a->profile['profile_uid']), + intval(ITEM_WALL) ); } else { $r = q("SELECT distinct parent AS `item_id` from item |