From e2eb0b2eac6f32a0e4781eabbb147f0bee0736fb Mon Sep 17 00:00:00 2001 From: zotlabs Date: Sat, 31 Dec 2016 15:56:45 -0800 Subject: better fix for #629 #635 based on ownership/authorship rather than message flags which could be forged --- include/zot.php | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) (limited to 'include/zot.php') diff --git a/include/zot.php b/include/zot.php index 43749840a..96ec71112 100644 --- a/include/zot.php +++ b/include/zot.php @@ -1782,7 +1782,7 @@ function process_delivery($sender, $arr, $deliveries, $relay, $public = false, $ $result[] = $DR->get(); } else { - update_imported_item($sender,$arr,$r[0],$channel['channel_id']); + update_imported_item($sender,$arr,$r[0],$channel['channel_id'],$tag_delivery); $DR->update('updated'); $result[] = $DR->get(); if(! $relay) @@ -1930,7 +1930,7 @@ function remove_community_tag($sender, $arr, $uid) { * @param int $uid */ -function update_imported_item($sender, $item, $orig, $uid) { +function update_imported_item($sender, $item, $orig, $uid, $tag_delivery) { // If this is a comment being updated, remove any privacy information // so that item_store_update will set it from the original. @@ -1943,16 +1943,11 @@ function update_imported_item($sender, $item, $orig, $uid) { unset($item['item_private']); } - // Subtle issue where we might receive an edit item update from a downstream source. - // Ignore unless it comes from upstream. + // we need the tag_delivery check for downstream flowing posts as the stored post + // may have a different owner than the one being transmitted. - $x = q("select item_wall from item where mid = '%s' and uid = %d limit 1", - dbesc($item['mid']), - intval($uid) - ); - - if($x && $x[0]['item_wall'] == 1 && $item['item_wall'] == 0) { - notice('remote wall update ignored'); + if(($sender['hash'] != $orig['owner_xchan'] && $sender['hash'] != $orig['author_xchan']) && (! $tag_delivery)) { + notice('sender is not owner or author'); return; } -- cgit v1.2.3