aboutsummaryrefslogtreecommitdiffstats
path: root/mod/new_channel.php
diff options
context:
space:
mode:
Diffstat (limited to 'mod/new_channel.php')
-rw-r--r--mod/new_channel.php14
1 files changed, 12 insertions, 2 deletions
diff --git a/mod/new_channel.php b/mod/new_channel.php
index bec2a3c09..07b6cfc85 100644
--- a/mod/new_channel.php
+++ b/mod/new_channel.php
@@ -64,7 +64,14 @@ function new_channel_post(&$a) {
$arr = $_POST;
- if(($arr['account_id'] = get_account_id()) === false) {
+ $acc = $a->get_account();
+ $arr['account_id'] = get_account_id();
+
+ // prevent execution by delegated channels as well as those not logged in.
+ // get_account_id() returns the account_id from the session. But $a->account
+ // may point to the original authenticated account.
+
+ if((! $acc) || ($acc['account_id'] != $arr['account_id'])) {
notice( t('Permission denied.') . EOL );
return;
}
@@ -95,7 +102,10 @@ function new_channel_post(&$a) {
function new_channel_content(&$a) {
- if(! get_account_id()) {
+
+ $acc = $a->get_account();
+
+ if((! $acc) || $acc['account_id'] != get_account_id()) {
notice( t('Permission denied.') . EOL);
return;
}