From af13e5fa4a88691dc1d7a7474890b381fbb44aab Mon Sep 17 00:00:00 2001
From: zotlabs <mike@macgirvin.com>
Date: Sun, 9 Oct 2016 21:36:55 -0700
Subject: since the snap module runs without permissions controls, verify the
 logged in channel matches the requested cloud path

---
 Zotlabs/Module/Snap.php | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'Zotlabs/Module')

diff --git a/Zotlabs/Module/Snap.php b/Zotlabs/Module/Snap.php
index 8e52d85ac..89aebc097 100644
--- a/Zotlabs/Module/Snap.php
+++ b/Zotlabs/Module/Snap.php
@@ -58,6 +58,15 @@ class Snap extends \Zotlabs\Web\Controller {
 		else
 			killme();	
 
+		if($_SERVER['PHP_AUTH_USER'] && $_SERVER['PHP_AUTH_USER'] !== $which)
+			killme();
+
+		if(local_channel()) {
+			$c = \App::get_channel();
+			if($c && $c['channel_address'] !== $which)
+				killme();
+		}
+
 		if(! in_array(strtolower($_SERVER['REQUEST_METHOD']),['propfind','get','head']))
 			killme(); 
 
-- 
cgit v1.2.3