aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--mod/new_channel.php14
-rw-r--r--mod/thing.php1
2 files changed, 12 insertions, 3 deletions
diff --git a/mod/new_channel.php b/mod/new_channel.php
index 0429bbee7..07b6cfc85 100644
--- a/mod/new_channel.php
+++ b/mod/new_channel.php
@@ -64,7 +64,14 @@ function new_channel_post(&$a) {
$arr = $_POST;
- if((! $a->get_account()) || ($arr['account_id'] = get_account_id()) === false) {
+ $acc = $a->get_account();
+ $arr['account_id'] = get_account_id();
+
+ // prevent execution by delegated channels as well as those not logged in.
+ // get_account_id() returns the account_id from the session. But $a->account
+ // may point to the original authenticated account.
+
+ if((! $acc) || ($acc['account_id'] != $arr['account_id'])) {
notice( t('Permission denied.') . EOL );
return;
}
@@ -95,7 +102,10 @@ function new_channel_post(&$a) {
function new_channel_content(&$a) {
- if(! $a->get_account()) {
+
+ $acc = $a->get_account();
+
+ if((! $acc) || $acc['account_id'] != get_account_id()) {
notice( t('Permission denied.') . EOL);
return;
}
diff --git a/mod/thing.php b/mod/thing.php
index 280cc194d..7c5020e62 100644
--- a/mod/thing.php
+++ b/mod/thing.php
@@ -14,7 +14,6 @@ function thing_init(&$a) {
if(! local_channel())
return;
- $account_id = $a->get_account();
$channel = $a->get_channel();
$term_hash = (($_REQUEST['term_hash']) ? $_REQUEST['term_hash'] : '');