aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/conversation.php2
-rw-r--r--mod/editwebpage.php9
-rw-r--r--mod/webpages.php4
3 files changed, 12 insertions, 3 deletions
diff --git a/include/conversation.php b/include/conversation.php
index 5ae2250a8..19c5bda14 100644
--- a/include/conversation.php
+++ b/include/conversation.php
@@ -1637,7 +1637,7 @@ function profile_tabs($a, $is_owner = false, $nickname = null){
);
}
- if ($is_owner && feature_enabled($uid,'webpages')) {
+ if ($p['write_pages'] && feature_enabled($uid,'webpages')) {
$tabs[] = array(
'label' => t('Webpages'),
'url' => $a->get_baseurl() . '/webpages/' . $nickname,
diff --git a/mod/editwebpage.php b/mod/editwebpage.php
index a7564a126..a1918741b 100644
--- a/mod/editwebpage.php
+++ b/mod/editwebpage.php
@@ -90,11 +90,18 @@ function editwebpage_content(&$a) {
// We've already figured out which item we want and whose copy we need,
// so we don't need anything fancy here
- $itm = q("SELECT * FROM `item` WHERE `id` = %d and uid = %s LIMIT 1",
+ $sql_extra = item_permissions_sql($owner);
+
+ $itm = q("SELECT * FROM `item` WHERE `id` = %d and uid = %s $sql_extra LIMIT 1",
intval($post_id),
intval($owner)
);
+ if(! $itm) {
+ notice( t('Permission denied.') . EOL);
+ return;
+ }
+
if($itm[0]['item_flags'] & ITEM_OBSCURED) {
$key = get_config('system','prvkey');
if($itm[0]['title'])
diff --git a/mod/webpages.php b/mod/webpages.php
index 615969d78..44b4ee561 100644
--- a/mod/webpages.php
+++ b/mod/webpages.php
@@ -131,8 +131,10 @@ function webpages_content(&$a) {
// so just list titles and an edit link.
/** @TODO - this should be replaced with pagelist_widget */
+ $sql_extra = item_permissions_sql($owner);
+
$r = q("select * from item_id left join item on item_id.iid = item.id
- where item_id.uid = %d and service = 'WEBPAGE' order by item.created desc",
+ where item_id.uid = %d and service = 'WEBPAGE' $sql_extra order by item.created desc",
intval($owner)
);