From ea511c67c7b4d67cb98a92d6e86c634e6b37dc64 Mon Sep 17 00:00:00 2001
From: zottel <github@zottel.net>
Date: Fri, 10 Jan 2014 13:38:38 +0100
Subject: add security fix to load case, too

---
 mod/channel.php | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/mod/channel.php b/mod/channel.php
index dac4ba2bf..a936650f3 100644
--- a/mod/channel.php
+++ b/mod/channel.php
@@ -141,6 +141,9 @@ function channel_content(&$a, $update = 0, $load = false) {
 				intval($a->profile['profile_uid']),
 				intval(ITEM_WALL)
 			);
+			if (! $r) {
+				notice( t('Permission denied.') . EOL);
+			}
 		} else {
 			$r = q("SELECT distinct parent AS `item_id` from item
 				left join abook on item.author_xchan = abook.abook_xchan
@@ -177,11 +180,14 @@ function channel_content(&$a, $update = 0, $load = false) {
 
 		if($load || ($_COOKIE['jsAvailable'] != 1)) {
 			if ($mid) {
-				$r = q("SELECT parent AS item_id from item where mid = '%s' limit 1",
-					dbesc($mid)
+				$r = q("SELECT parent AS item_id from item where mid = '%s' and uid = %d AND item_restrict = 0
+					AND (item_flags &  %d) $sql_extra limit 1",
+					dbesc($mid),
+					intval($a->profile['profile_uid']),
+					intval(ITEM_WALL)
 				);
 				if (! $r) {
-					notice( t('Item not found.') . EOL);
+					notice( t('Permission denied.') . EOL);
 				}
 
 			} else {
-- 
cgit v1.2.3


From 1c315caa28eb991469e122fb7f8650f411152b13 Mon Sep 17 00:00:00 2001
From: zottel <github@zottel.net>
Date: Fri, 10 Jan 2014 13:41:25 +0100
Subject: and don't send duplicate notices <sigh>

---
 mod/channel.php | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/mod/channel.php b/mod/channel.php
index a936650f3..6e82eb1e7 100644
--- a/mod/channel.php
+++ b/mod/channel.php
@@ -141,9 +141,6 @@ function channel_content(&$a, $update = 0, $load = false) {
 				intval($a->profile['profile_uid']),
 				intval(ITEM_WALL)
 			);
-			if (! $r) {
-				notice( t('Permission denied.') . EOL);
-			}
 		} else {
 			$r = q("SELECT distinct parent AS `item_id` from item
 				left join abook on item.author_xchan = abook.abook_xchan
-- 
cgit v1.2.3


From c4705724f1e011b8f8d8f3fef419bc27f31b93fe Mon Sep 17 00:00:00 2001
From: marijus <mario@localhost.localdomain>
Date: Fri, 10 Jan 2014 16:54:16 +0100
Subject: make goaway link work

---
 mod/filestorage.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mod/filestorage.php b/mod/filestorage.php
index 3e87dccb8..18760dd45 100644
--- a/mod/filestorage.php
+++ b/mod/filestorage.php
@@ -84,12 +84,12 @@ function filestorage_content(&$a) {
 		);
 		if(! $r) {
 			notice( t('File not found.') . EOL);
-			goaway(z_root() . '/filestorage' . $which);
+			goaway(z_root() . '/filestorage/' . $which);
 		}
 
 		attach_delete($owner,$r[0]['hash']);
 		
-		goaway(z_root() . '/filestorage' . $which);
+		goaway(z_root() . '/filestorage/' . $which);
 	}	
 
 
-- 
cgit v1.2.3