From 1cd779459b7f1a4dd38d7cbb9fad5f87dd204cd1 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Sat, 31 Dec 2016 15:56:45 -0800 Subject: better fix for #629 #635 based on ownership/authorship rather than message flags which could be forged --- include/zot.php | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'include/zot.php') diff --git a/include/zot.php b/include/zot.php index 77843c35b..d4e75fe91 100644 --- a/include/zot.php +++ b/include/zot.php @@ -1777,7 +1777,7 @@ function process_delivery($sender, $arr, $deliveries, $relay, $public = false, $ $result[] = $DR->get(); } else { - update_imported_item($sender,$arr,$r[0],$channel['channel_id']); + update_imported_item($sender,$arr,$r[0],$channel['channel_id'],$tag_delivery); $DR->update('updated'); $result[] = $DR->get(); if(! $relay) @@ -1925,7 +1925,7 @@ function remove_community_tag($sender, $arr, $uid) { * @param int $uid */ -function update_imported_item($sender, $item, $orig, $uid) { +function update_imported_item($sender, $item, $orig, $uid, $tag_delivery) { // If this is a comment being updated, remove any privacy information // so that item_store_update will set it from the original. @@ -1938,6 +1938,14 @@ function update_imported_item($sender, $item, $orig, $uid) { unset($item['item_private']); } + // we need the tag_delivery check for downstream flowing posts as the stored post + // may have a different owner than the one being transmitted. + + if(($sender['hash'] != $orig['owner_xchan'] && $sender['hash'] != $orig['author_xchan']) && (! $tag_delivery)) { + notice('sender is not owner or author'); + return; + } + $x = item_store_update($item); // If we're updating an event that we've saved locally, we store the item info first -- cgit v1.2.3