From 35ed18967a61e9871becbe6676603ce8e43eeec3 Mon Sep 17 00:00:00 2001 From: friendica Date: Tue, 29 Jul 2014 20:13:01 -0700 Subject: block channel removal for 48 hours after changing the account password, since the password is required to remove a channel. Somebody looking at an open session on somebody else's computer can simply change the password and then proceed to maliciously remove the channel. This change gives the owner 2 days to discover that something is wrong and recover his/her password and potentially save their channel from getting erased by the vandal. This is most likely to happen if a relationship has gone bad, or something incriminating was found in your private messages when you left your computer briefly unattended. --- mod/removeme.php | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'mod/removeme.php') diff --git a/mod/removeme.php b/mod/removeme.php index f0b4ae3c0..095570480 100644 --- a/mod/removeme.php +++ b/mod/removeme.php @@ -23,6 +23,14 @@ function removeme_post(&$a) { if(! account_verify_password($account['account_email'],$_POST['qxz_password'])) return; + if($account['account_password_changed'] != '0000-00-00 00:00:00') { + $d1 = datetime_convert('UTC','UTC','now - 48 hours'); + if($account['account_password_changed'] > d1) { + notice( t('Channel removals are not allowed within 48 hours of changing the account password.') . EOL); + return; + } + } + require_once('include/Contact.php'); $global_remove = intval($_POST['global']); -- cgit v1.2.3 From fc94a638cd16dce8ed0d2772d29432f99396a70f Mon Sep 17 00:00:00 2001 From: Christian Vogeley Date: Thu, 14 Aug 2014 20:17:57 +0200 Subject: Some work on account deletion --- mod/removeme.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'mod/removeme.php') diff --git a/mod/removeme.php b/mod/removeme.php index 095570480..13bf6cf63 100644 --- a/mod/removeme.php +++ b/mod/removeme.php @@ -35,7 +35,7 @@ function removeme_post(&$a) { $global_remove = intval($_POST['global']); - channel_remove(local_user(),1 - $global_remove); + channel_remove(local_user(),1 - $global_remove,true); } -- cgit v1.2.3