From db8ebc9f375478bddc0f48d972e3acfbde80685a Mon Sep 17 00:00:00 2001 From: friendica Date: Thu, 9 Jan 2014 15:45:17 -0800 Subject: some minor cleanup on plinks for some very subtle permissions issues --- mod/channel.php | 24 ++++-------------------- 1 file changed, 4 insertions(+), 20 deletions(-) (limited to 'mod/channel.php') diff --git a/mod/channel.php b/mod/channel.php index 8e44a329b..20f6fec18 100644 --- a/mod/channel.php +++ b/mod/channel.php @@ -104,7 +104,7 @@ function channel_content(&$a, $update = 0, $load = false) { ); - if($perms['post_wall'] && (!$mid)) { + if($perms['post_wall']) { $x = array( 'is_owner' => $is_owner, @@ -135,8 +135,9 @@ function channel_content(&$a, $update = 0, $load = false) { if(($update) && (! $load)) { if ($mid) { - $r = q("SELECT parent AS item_id from item where mid = '%s' limit 1", - dbesc($mid) + $r = q("SELECT parent AS item_id from item where mid = '%s' and uid = %d $sql_extra limit 1", + dbesc($mid), + intval($a->profile['profile_uid']) ); } else { $r = q("SELECT distinct parent AS `item_id` from item @@ -201,23 +202,6 @@ function channel_content(&$a, $update = 0, $load = false) { } } - if ($mid && $r) { - // make sure we don't show other people's posts from our matrix - // as $a->profile['channel_hash'] isn't set when a JS query comes in - // we have to do that with a join - $ismine = q("SELECT * from item - join channel on item.owner_xchan = channel.channel_hash - where item.id = %d and channel.channel_id = %d", - dbesc($r[0]['item_id']), - intval($a->profile['profile_uid']) - ); - if (!$ismine) { - if ($load) - notice( t('Permission denied.') . EOL); - $r = array(); - } - } - if($r) { $parents_str = ids_to_querystr($r,'item_id'); -- cgit v1.2.3