fix webpage perms

2015-04-22 12:00:15 +02:00 · 2015-04-22 12:00:15 +02:00 · 9e490d022b
commit 9e490d022b
parent b4dff3a9ff
3 changed files with 12 additions and 3 deletions
--- a/include/conversation.php
+++ b/include/conversation.php
@ -1637,7 +1637,7 @@ function profile_tabs($a, $is_owner = false, $nickname = null){
 		);
 	}

-	if ($is_owner && feature_enabled($uid,'webpages')) {
+	if ($p['write_pages'] && feature_enabled($uid,'webpages')) {
 		$tabs[] = array(
 			'label' => t('Webpages'),
 			'url'   => $a->get_baseurl() . '/webpages/' . $nickname,
--- a/mod/editwebpage.php
+++ b/mod/editwebpage.php
@ -90,11 +90,18 @@ function editwebpage_content(&$a) {
 	// We've already figured out which item we want and whose copy we need, 
 	// so we don't need anything fancy here

-	$itm = q("SELECT * FROM `item` WHERE `id` = %d and uid = %s LIMIT 1",
+	$sql_extra = item_permissions_sql($owner);
+
+	$itm = q("SELECT * FROM `item` WHERE `id` = %d and uid = %s $sql_extra LIMIT 1",
 		intval($post_id),
 		intval($owner)
 	);

+	if(! $itm) {
+		notice( t('Permission denied.') . EOL);
+		return;
+	}
+
 	if($itm[0]['item_flags'] & ITEM_OBSCURED) {
 		$key = get_config('system','prvkey');
 		if($itm[0]['title'])
--- a/mod/webpages.php
+++ b/mod/webpages.php
@ -131,8 +131,10 @@ function webpages_content(&$a) {
 	// so just list titles and an edit link.
 	/** @TODO - this should be replaced with pagelist_widget */

+	$sql_extra = item_permissions_sql($owner);
+
 	$r = q("select * from item_id left join item on item_id.iid = item.id 
-		where item_id.uid = %d and service = 'WEBPAGE' order by item.created desc",
+		where item_id.uid = %d and service = 'WEBPAGE' $sql_extra order by item.created desc",
 		intval($owner)
 	);