diff options
Diffstat (limited to 'mod/new_channel.php')
-rw-r--r-- | mod/new_channel.php | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/mod/new_channel.php b/mod/new_channel.php index bec2a3c09..07b6cfc85 100644 --- a/mod/new_channel.php +++ b/mod/new_channel.php @@ -64,7 +64,14 @@ function new_channel_post(&$a) { $arr = $_POST; - if(($arr['account_id'] = get_account_id()) === false) { + $acc = $a->get_account(); + $arr['account_id'] = get_account_id(); + + // prevent execution by delegated channels as well as those not logged in. + // get_account_id() returns the account_id from the session. But $a->account + // may point to the original authenticated account. + + if((! $acc) || ($acc['account_id'] != $arr['account_id'])) { notice( t('Permission denied.') . EOL ); return; } @@ -95,7 +102,10 @@ function new_channel_post(&$a) { function new_channel_content(&$a) { - if(! get_account_id()) { + + $acc = $a->get_account(); + + if((! $acc) || $acc['account_id'] != get_account_id()) { notice( t('Permission denied.') . EOL); return; } |