diff options
-rw-r--r-- | mod/new_channel.php | 14 | ||||
-rw-r--r-- | mod/thing.php | 1 |
2 files changed, 12 insertions, 3 deletions
diff --git a/mod/new_channel.php b/mod/new_channel.php index 0429bbee7..07b6cfc85 100644 --- a/mod/new_channel.php +++ b/mod/new_channel.php @@ -64,7 +64,14 @@ function new_channel_post(&$a) { $arr = $_POST; - if((! $a->get_account()) || ($arr['account_id'] = get_account_id()) === false) { + $acc = $a->get_account(); + $arr['account_id'] = get_account_id(); + + // prevent execution by delegated channels as well as those not logged in. + // get_account_id() returns the account_id from the session. But $a->account + // may point to the original authenticated account. + + if((! $acc) || ($acc['account_id'] != $arr['account_id'])) { notice( t('Permission denied.') . EOL ); return; } @@ -95,7 +102,10 @@ function new_channel_post(&$a) { function new_channel_content(&$a) { - if(! $a->get_account()) { + + $acc = $a->get_account(); + + if((! $acc) || $acc['account_id'] != get_account_id()) { notice( t('Permission denied.') . EOL); return; } diff --git a/mod/thing.php b/mod/thing.php index 280cc194d..7c5020e62 100644 --- a/mod/thing.php +++ b/mod/thing.php @@ -14,7 +14,6 @@ function thing_init(&$a) { if(! local_channel()) return; - $account_id = $a->get_account(); $channel = $a->get_channel(); $term_hash = (($_REQUEST['term_hash']) ? $_REQUEST['term_hash'] : ''); |