diff options
Diffstat (limited to 'mod')
| -rw-r--r-- | mod/magic.php | 2 | ||||
| -rw-r--r-- | mod/manage.php | 2 | ||||
| -rw-r--r-- | mod/new_channel.php | 14 | ||||
| -rw-r--r-- | mod/thing.php | 1 |
4 files changed, 16 insertions, 3 deletions
diff --git a/mod/magic.php b/mod/magic.php index 2fee87241..12679773b 100644 --- a/mod/magic.php +++ b/mod/magic.php @@ -105,6 +105,7 @@ function magic_init(&$a) { $r = q("select * from channel left join hubloc on channel_hash = hubloc_hash where hubloc_addr = '%s' limit 1", dbesc($delegate) ); + if($r && intval($r[0]['channel_id'])) { $allowed = perm_is_allowed($r[0]['channel_id'],get_observer_hash(),'delegate'); if($allowed) { @@ -112,6 +113,7 @@ function magic_init(&$a) { $_SESSION['delegate'] = get_observer_hash(); $_SESSION['account_id'] = intval($r[0]['channel_account_id']); change_channel($r[0]['channel_id']); + $delegation_success = true; } } diff --git a/mod/manage.php b/mod/manage.php index b609ede44..671003efd 100644 --- a/mod/manage.php +++ b/mod/manage.php @@ -148,6 +148,8 @@ function manage_content(&$a) { for($x = 0; $x < count($delegates); $x ++) { $delegates[$x]['link'] = 'magic?f=&dest=' . urlencode($delegates[$x]['xchan_url']) . '&delegate=' . urlencode($delegates[$x]['xchan_addr']); + $delegates[$x]['channel_name'] = $delegates[$x]['xchan_name']; + $delegates[$x]['delegate'] = 1; } } else { diff --git a/mod/new_channel.php b/mod/new_channel.php index bec2a3c09..07b6cfc85 100644 --- a/mod/new_channel.php +++ b/mod/new_channel.php @@ -64,7 +64,14 @@ function new_channel_post(&$a) { $arr = $_POST; - if(($arr['account_id'] = get_account_id()) === false) { + $acc = $a->get_account(); + $arr['account_id'] = get_account_id(); + + // prevent execution by delegated channels as well as those not logged in. + // get_account_id() returns the account_id from the session. But $a->account + // may point to the original authenticated account. + + if((! $acc) || ($acc['account_id'] != $arr['account_id'])) { notice( t('Permission denied.') . EOL ); return; } @@ -95,7 +102,10 @@ function new_channel_post(&$a) { function new_channel_content(&$a) { - if(! get_account_id()) { + + $acc = $a->get_account(); + + if((! $acc) || $acc['account_id'] != get_account_id()) { notice( t('Permission denied.') . EOL); return; } diff --git a/mod/thing.php b/mod/thing.php index 280cc194d..7c5020e62 100644 --- a/mod/thing.php +++ b/mod/thing.php @@ -14,7 +14,6 @@ function thing_init(&$a) { if(! local_channel()) return; - $account_id = $a->get_account(); $channel = $a->get_channel(); $term_hash = (($_REQUEST['term_hash']) ? $_REQUEST['term_hash'] : ''); |