harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

better fix for #629 #635 based on ownership/authorship rather than message flags which could be forged

Browse Source
This commit is contained in:
zotlabs 2016-12-31 15:56:45 -08:00
parent ba8a5ac82b
commit 1cd779459b
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
include/zot.php
View File

@ -1777,7 +1777,7 @@ function process_delivery($sender, $arr, $deliveries, $relay, $public = false, $
$result[] = $DR->get();
}
else {
update_imported_item($sender,$arr,$r[0],$channel['channel_id']);
update_imported_item($sender,$arr,$r[0],$channel['channel_id'],$tag_delivery);
$DR->update('updated');
$result[] = $DR->get();
if(! $relay)
@ -1925,7 +1925,7 @@ function remove_community_tag($sender, $arr, $uid) {
* @param int $uid
*/
function update_imported_item($sender, $item, $orig, $uid) {
function update_imported_item($sender, $item, $orig, $uid, $tag_delivery) {
// If this is a comment being updated, remove any privacy information
// so that item_store_update will set it from the original.
@ -1938,6 +1938,14 @@ function update_imported_item($sender, $item, $orig, $uid) {
unset($item['item_private']);
}
// we need the tag_delivery check for downstream flowing posts as the stored post
// may have a different owner than the one being transmitted.
if(($sender['hash'] != $orig['owner_xchan'] && $sender['hash'] != $orig['author_xchan']) && (! $tag_delivery)) {
notice('sender is not owner or author');
return;
}
$x = item_store_update($item);
// If we're updating an event that we've saved locally, we store the item info first