From ea511c67c7b4d67cb98a92d6e86c634e6b37dc64 Mon Sep 17 00:00:00 2001
From: zottel <github@zottel.net>
Date: Fri, 10 Jan 2014 13:38:38 +0100
Subject: add security fix to load case, too

---
 mod/channel.php | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

(limited to 'mod/channel.php')

diff --git a/mod/channel.php b/mod/channel.php
index dac4ba2bf..a936650f3 100644
--- a/mod/channel.php
+++ b/mod/channel.php
@@ -141,6 +141,9 @@ function channel_content(&$a, $update = 0, $load = false) {
 				intval($a->profile['profile_uid']),
 				intval(ITEM_WALL)
 			);
+			if (! $r) {
+				notice( t('Permission denied.') . EOL);
+			}
 		} else {
 			$r = q("SELECT distinct parent AS `item_id` from item
 				left join abook on item.author_xchan = abook.abook_xchan
@@ -177,11 +180,14 @@ function channel_content(&$a, $update = 0, $load = false) {
 
 		if($load || ($_COOKIE['jsAvailable'] != 1)) {
 			if ($mid) {
-				$r = q("SELECT parent AS item_id from item where mid = '%s' limit 1",
-					dbesc($mid)
+				$r = q("SELECT parent AS item_id from item where mid = '%s' and uid = %d AND item_restrict = 0
+					AND (item_flags &  %d) $sql_extra limit 1",
+					dbesc($mid),
+					intval($a->profile['profile_uid']),
+					intval(ITEM_WALL)
 				);
 				if (! $r) {
-					notice( t('Item not found.') . EOL);
+					notice( t('Permission denied.') . EOL);
 				}
 
 			} else {
-- 
cgit v1.2.3