harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

issue #59 - this is a real bugger. Might seem fixed but read the code. This could potentially create a security/permissions issue

Browse Source
This commit is contained in:
friendica 2013-09-04 23:15:53 -07:00
parent a88437a1ef
commit f1d875c3e1
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
include/items.php
View File

@ -2010,8 +2010,13 @@ function tag_deliver($uid,$item_id) {
intval($item['parent']),
intval($uid)
);
if(($x) && ($x[0]['item_flags'] & ITEM_UPLINK) && ($x[0]['author_xchan'] == $item['author_xchan'])) {
logger('tag_deliver: creating second delivery chain for owner comment.');
// issue #59
// FIXME - check security on post and allowed senders, right now we just allow it. The author *may* be foreign and the original owner is lost on our copy of the post. So this could be very hard to verify. For instance what happens if the top-level post was a wall-to-wall?
// if(($x) && ($x[0]['item_flags'] & ITEM_UPLINK) && ($x[0]['author_xchan'] == $item['author_xchan'])) {
if(($x) && ($x[0]['item_flags'] & ITEM_UPLINK)) {
// logger('tag_deliver: creating second delivery chain for owner comment.');
logger('tag_deliver: creating second delivery chain for comment to tagged post.');
// now change this copy of the post to a forum head message and deliver to all the tgroup members
// also reset all the privacy bits to the forum default permissions