From f1d875c3e181ce02020830ed9e40b0ffb38ccc85 Mon Sep 17 00:00:00 2001 From: friendica Date: Wed, 4 Sep 2013 23:15:53 -0700 Subject: issue #59 - this is a real bugger. Might seem fixed but read the code. This could potentially create a security/permissions issue --- include/items.php | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/include/items.php b/include/items.php index c15bf8205..a2300c2e0 100755 --- a/include/items.php +++ b/include/items.php @@ -2010,8 +2010,13 @@ function tag_deliver($uid,$item_id) { intval($item['parent']), intval($uid) ); - if(($x) && ($x[0]['item_flags'] & ITEM_UPLINK) && ($x[0]['author_xchan'] == $item['author_xchan'])) { - logger('tag_deliver: creating second delivery chain for owner comment.'); + +// issue #59 +// FIXME - check security on post and allowed senders, right now we just allow it. The author *may* be foreign and the original owner is lost on our copy of the post. So this could be very hard to verify. For instance what happens if the top-level post was a wall-to-wall? +// if(($x) && ($x[0]['item_flags'] & ITEM_UPLINK) && ($x[0]['author_xchan'] == $item['author_xchan'])) { + if(($x) && ($x[0]['item_flags'] & ITEM_UPLINK)) { +// logger('tag_deliver: creating second delivery chain for owner comment.'); + logger('tag_deliver: creating second delivery chain for comment to tagged post.'); // now change this copy of the post to a forum head message and deliver to all the tgroup members // also reset all the privacy bits to the forum default permissions -- cgit v1.2.3