harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

cleanup and add comments about what we're trying to do here

Browse Source
This commit is contained in:
redmatrix 2016-01-24 15:44:16 -08:00
parent baed7d339e
commit 5e9e1b2c91
2 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
mod/new_channel.php
View File

@ -64,7 +64,14 @@ function new_channel_post(&$a) {
$arr = $_POST; $arr = $_POST;
if((! $a->get_account()) || ($arr['account_id'] = get_account_id()) === false) { $acc = $a->get_account();
$arr['account_id'] = get_account_id();
// prevent execution by delegated channels as well as those not logged in.
// get_account_id() returns the account_id from the session. But $a->account
// may point to the original authenticated account.
if((! $acc) || ($acc['account_id'] != $arr['account_id'])) {
notice( t('Permission denied.') . EOL ); notice( t('Permission denied.') . EOL );
return; return;
} }
@ -95,7 +102,10 @@ function new_channel_post(&$a) {
function new_channel_content(&$a) { function new_channel_content(&$a) {
if(! $a->get_account()) {
$acc = $a->get_account();
if((! $acc) || $acc['account_id'] != get_account_id()) {
notice( t('Permission denied.') . EOL); notice( t('Permission denied.') . EOL);
return; return;
} }

1
mod/thing.php
View File

@ -14,7 +14,6 @@ function thing_init(&$a) {
if(! local_channel()) if(! local_channel())
return; return;
$account_id = $a->get_account();
$channel = $a->get_channel(); $channel = $a->get_channel();
$term_hash = (($_REQUEST['term_hash']) ? $_REQUEST['term_hash'] : ''); $term_hash = (($_REQUEST['term_hash']) ? $_REQUEST['term_hash'] : '');