diff options
author | zottel <github@zottel.net> | 2014-01-10 13:38:38 +0100 |
---|---|---|
committer | zottel <github@zottel.net> | 2014-01-10 13:38:38 +0100 |
commit | ea511c67c7b4d67cb98a92d6e86c634e6b37dc64 (patch) | |
tree | 69408d86b902c5f9438c1ff648b1c009f231fe48 /mod | |
parent | 4e9866f6b20d3747b948b2eab3f6dfb23cc884e7 (diff) | |
download | volse-hubzilla-ea511c67c7b4d67cb98a92d6e86c634e6b37dc64.tar.gz volse-hubzilla-ea511c67c7b4d67cb98a92d6e86c634e6b37dc64.tar.bz2 volse-hubzilla-ea511c67c7b4d67cb98a92d6e86c634e6b37dc64.zip |
add security fix to load case, too
Diffstat (limited to 'mod')
-rw-r--r-- | mod/channel.php | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/mod/channel.php b/mod/channel.php index dac4ba2bf..a936650f3 100644 --- a/mod/channel.php +++ b/mod/channel.php @@ -141,6 +141,9 @@ function channel_content(&$a, $update = 0, $load = false) { intval($a->profile['profile_uid']), intval(ITEM_WALL) ); + if (! $r) { + notice( t('Permission denied.') . EOL); + } } else { $r = q("SELECT distinct parent AS `item_id` from item left join abook on item.author_xchan = abook.abook_xchan @@ -177,11 +180,14 @@ function channel_content(&$a, $update = 0, $load = false) { if($load || ($_COOKIE['jsAvailable'] != 1)) { if ($mid) { - $r = q("SELECT parent AS item_id from item where mid = '%s' limit 1", - dbesc($mid) + $r = q("SELECT parent AS item_id from item where mid = '%s' and uid = %d AND item_restrict = 0 + AND (item_flags & %d) $sql_extra limit 1", + dbesc($mid), + intval($a->profile['profile_uid']), + intval(ITEM_WALL) ); if (! $r) { - notice( t('Item not found.') . EOL); + notice( t('Permission denied.') . EOL); } } else { |