harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

block channel removal for 48 hours after changing the account password, since the password is required to remove a channel. Somebody looking at an open session on somebody else's computer can simply change the password and then proceed to maliciously remove the channel. This change gives the owner 2 days to discover that something is wrong and recover his/her password and potentially save their channel from getting erased by the vandal. This is most likely to happen if a relationship has gone bad, or something incriminating was found in your private messages when you left your computer briefly unattended.

Browse Source
This commit is contained in:
friendica
2014-07-29 20:13:01 -07:00
parent c8829e7243
commit 35ed18967a
5 changed files with 24 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
mod/removeme.php
View File

@@ -23,6 +23,14 @@ function removeme_post(&$a) {
if(! account_verify_password($account['account_email'],$_POST['qxz_password']))
return;
if($account['account_password_changed'] != '0000-00-00 00:00:00') {
$d1 = datetime_convert('UTC','UTC','now - 48 hours');
if($account['account_password_changed'] > d1) {
notice( t('Channel removals are not allowed within 48 hours of changing the account password.') . EOL);
return;
}
}
require_once('include/Contact.php');
$global_remove = intval($_POST['global']);