From a47a1d5eb9d8e28a646540c5d19e05ffe35774cc Mon Sep 17 00:00:00 2001
From: friendica <info@friendica.com>
Date: Fri, 2 Nov 2012 16:25:59 -0700
Subject: secure permission discovery

---
 mod/zfinger.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'mod/zfinger.php')

diff --git a/mod/zfinger.php b/mod/zfinger.php
index 5567f85cf..80411d16c 100644
--- a/mod/zfinger.php
+++ b/mod/zfinger.php
@@ -78,10 +78,12 @@ function zfinger_init(&$a) {
 
 // FIXME encrypt permissions when targeted so that only the target can view them, requires sending the pubkey and also checking that the target_sig is signed with that pubkey and isn't a forgery. 
 
-	$ret['permissions']   = get_all_perms($e['channel_id'],(($ztarget && $zsig) 
+
+	$permissions = get_all_perms($e['channel_id'],(($ztarget && $zsig) 
 			? base64url_encode(hash('whirlpool',$ztarget . $zsig,true)) 
 			: '' ),false);
 
+	$ret['permissions'] = (($ztarget) ? aes_encapsulate(json_encode($permissions),$zkey) : $permissions);
 
 
 //	$ret['profile']  = $profile;
-- 
cgit v1.2.3