diff options
| -rwxr-xr-x | include/items.php | 4 | ||||
| -rw-r--r-- | mod/item.php | 10 | ||||
| -rw-r--r-- | mod/network.php | 2 |
3 files changed, 13 insertions, 3 deletions
diff --git a/include/items.php b/include/items.php index a60e3fdd6..4e8a5c46f 100755 --- a/include/items.php +++ b/include/items.php @@ -68,6 +68,8 @@ function can_comment_on_post($observer_xchan,$item) { return false; if($item['comment_policy'] === 'none') return false; + if($observer_xchan === $item['author_xchan'] || $observer_xchan === $item['owner_xchan']) + return true; switch($item['comment_policy']) { case 'self': if($observer_xchan === $item['author_xchan'] || $observer_xchan === $item['owner_xchan']) @@ -3660,7 +3662,7 @@ function items_fetch($arr,$channel = null,$observer_hash = null,$client_mode = C info( t('Group is empty')); } - $sql_extra = " AND item.parent IN ( SELECT DISTINCT parent FROM item WHERE true $sql_options AND (( author_xchan IN ( $contact_str ) OR owner_xchan in ( $contact_str)) or allow_gid like '" . protect_sprintf('%<' . dbesc($r[0]['hash']) . '>%') . "' ) and item_restrict = 0 ) "; + $sql_extra = " AND item.parent IN ( SELECT DISTINCT parent FROM item WHERE true $sql_options AND (( author_xchan IN ( $contact_str ) OR owner_xchan in ( $contact_str)) or allow_gid like '" . protect_sprintf('%<' . dbesc($r[0]['hash']) . '>%') . "' ) and id = parent and item_restrict = 0 ) "; } elseif($arr['cid'] && $uid) { diff --git a/mod/item.php b/mod/item.php index 895784ff9..2ebb02869 100644 --- a/mod/item.php +++ b/mod/item.php @@ -153,11 +153,19 @@ function item_post(&$a) { } + $observer = $a->get_observer(); + + if($parent) { logger('mod_item: item_post parent=' . $parent); + if(! can_comment_on_post($observer['xchan_hash'],$parent_item)) { + notice( t('Permission denied.') . EOL) ; + if(x($_REQUEST,'return')) + goaway($a->get_baseurl() . "/" . $return_path ); + killme(); + } } - $observer = $a->get_observer(); if(! perm_is_allowed($profile_uid,$observer['xchan_hash'],(($parent) ? 'post_comments' : 'post_wall'))) { notice( t('Permission denied.') . EOL) ; diff --git a/mod/network.php b/mod/network.php index 0d5f57a39..ac8c38290 100644 --- a/mod/network.php +++ b/mod/network.php @@ -446,7 +446,7 @@ function network_content(&$a, $update = 0, $load = false) { info( t('Group is empty')); } - $sql_extra = " AND item.parent IN ( SELECT DISTINCT parent FROM item WHERE true $sql_options AND (( author_xchan IN ( $contact_str ) OR owner_xchan in ( $contact_str)) or allow_gid like '" . protect_sprintf('%<' . dbesc($r[0]['hash']) . '>%') . "' ) and item_restrict = 0 ) "; + $sql_extra = " AND item.parent IN ( SELECT DISTINCT parent FROM item WHERE true $sql_options AND (( author_xchan IN ( $contact_str ) OR owner_xchan in ( $contact_str)) or allow_gid like '" . protect_sprintf('%<' . dbesc($r[0]['hash']) . '>%') . "' ) and id = parent and item_restrict = 0 ) "; } |