1 files changed, 25 insertions, 6 deletions

diff --git a/mod/channel.php b/mod/channel.php
index 205a89fa3..8e44a329b 100644
--- a/mod/channel.php
+++ b/mod/channel.php
@@ -177,6 +177,10 @@ function channel_content(&$a, $update = 0, $load = false) {
 				$r = q("SELECT parent AS item_id from item where mid = '%s' limit 1",
 					dbesc($mid)
 				);
+				if (! $r) {
+					notice( t('Item not found.') . EOL);
+				}
+
 			} else {
 				$r = q("SELECT distinct id AS item_id FROM item 
 					left join abook on item.author_xchan = abook.abook_xchan
@@ -197,6 +201,23 @@ function channel_content(&$a, $update = 0, $load = false) {
 		}
 	}
 
+	if ($mid && $r) {
+		// make sure we don't show other people's posts from our matrix
+		// as $a->profile['channel_hash'] isn't set when a JS query comes in
+		// we have to do that with a join
+		$ismine = q("SELECT * from item
+			join channel on item.owner_xchan = channel.channel_hash
+			where item.id = %d and channel.channel_id = %d",
+			dbesc($r[0]['item_id']),
+			intval($a->profile['profile_uid'])
+		);
+		if (!$ismine) {
+			if ($load)
+				notice( t('Permission denied.') . EOL);
+			$r = array();
+		}
+	}
+
 	if($r) {
 
 		$parents_str = ids_to_querystr($r,'item_id');
@@ -214,12 +235,10 @@ function channel_content(&$a, $update = 0, $load = false) {
 		$items = fetch_post_tags($items, true);
 		$items = conv_sort($items,'created');
 
-		if ($mid && (! count($items))) {
-			// This will happen if channel is called with a mid from another
-			// channel, if we don't have sufficient permissions to view the
-			// item, or if it doesn't exist.
-			// Do we need separate error messages for that?
-			notice( t('Item not found.') . EOL);
+		if ($load && $mid && (! count($items))) {
+			// This will happen if we don't have sufficient permissions
+			// to view the parent item (or the item itself if it is toplevel)
+			notice( t('Permission denied.') . EOL);
 		}
 
 	} else {