diff options
author | redmatrix <git@macgirvin.com> | 2016-01-24 15:44:16 -0800 |
---|---|---|
committer | redmatrix <git@macgirvin.com> | 2016-01-24 15:44:16 -0800 |
commit | 5e9e1b2c9171905520672f7a833157d7dd53980c (patch) | |
tree | dea0b7b9b87d15e1c707dec1b821d2f4e1b7ca3f /mod | |
parent | baed7d339ee0d5139fe1c93691a4225796e7e08c (diff) | |
download | volse-hubzilla-5e9e1b2c9171905520672f7a833157d7dd53980c.tar.gz volse-hubzilla-5e9e1b2c9171905520672f7a833157d7dd53980c.tar.bz2 volse-hubzilla-5e9e1b2c9171905520672f7a833157d7dd53980c.zip |
cleanup and add comments about what we're trying to do here
Diffstat (limited to 'mod')
-rw-r--r-- | mod/new_channel.php | 14 | ||||
-rw-r--r-- | mod/thing.php | 1 |
2 files changed, 12 insertions, 3 deletions
diff --git a/mod/new_channel.php b/mod/new_channel.php index 0429bbee7..07b6cfc85 100644 --- a/mod/new_channel.php +++ b/mod/new_channel.php @@ -64,7 +64,14 @@ function new_channel_post(&$a) { $arr = $_POST; - if((! $a->get_account()) || ($arr['account_id'] = get_account_id()) === false) { + $acc = $a->get_account(); + $arr['account_id'] = get_account_id(); + + // prevent execution by delegated channels as well as those not logged in. + // get_account_id() returns the account_id from the session. But $a->account + // may point to the original authenticated account. + + if((! $acc) || ($acc['account_id'] != $arr['account_id'])) { notice( t('Permission denied.') . EOL ); return; } @@ -95,7 +102,10 @@ function new_channel_post(&$a) { function new_channel_content(&$a) { - if(! $a->get_account()) { + + $acc = $a->get_account(); + + if((! $acc) || $acc['account_id'] != get_account_id()) { notice( t('Permission denied.') . EOL); return; } diff --git a/mod/thing.php b/mod/thing.php index 280cc194d..7c5020e62 100644 --- a/mod/thing.php +++ b/mod/thing.php @@ -14,7 +14,6 @@ function thing_init(&$a) { if(! local_channel()) return; - $account_id = $a->get_account(); $channel = $a->get_channel(); $term_hash = (($_REQUEST['term_hash']) ? $_REQUEST['term_hash'] : ''); |