From ed4f515800e9f1c352fcd8994db1386286fe3639 Mon Sep 17 00:00:00 2001
From: Dmitriy Simushev <simushevds@ossg.ru>
Date: Wed, 15 Oct 2014 10:43:02 +0000
Subject: [PATCH] Restrict access to a thread for third-party users

See issue #71 for details
---
 src/mibew/client.php | 13 +++++++++++--
 src/mibew/thread.php |  6 +++++-
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/src/mibew/client.php b/src/mibew/client.php
index c6502bb8..2d1a77fa 100644
--- a/src/mibew/client.php
+++ b/src/mibew/client.php
@@ -131,7 +131,13 @@ if( !isset($_GET['token']) || !isset($_GET['thread']) ) {
 		}
 		$thread = create_thread($groupid,$visitor['name'], $remoteHost, $referrer,$current_locale,$visitor['id'], $userbrowser,$state_loading,$link);
 		$_SESSION['threadid'] = $thread['threadid'];
-		
+
+		// Store own thread ids to restrict access for other people
+		if (!isset($_SESSION['own_threads'])) {
+			$_SESSION['own_threads'] = array();
+		}
+		$_SESSION['own_threads'][] = $thread['threadid'];
+
 		if( $referrer ) {
 			post_message_($thread['threadid'],$kind_for_agent,getstring2('chat.came.from',array($referrer),true),$link);
 		}
@@ -163,8 +169,11 @@ $token = verifyparam( "token", "/^\d{1,10}$/");
 $threadid = verifyparam( "thread", "/^\d{1,10}$/");
 $level = verifyparam( "level", "/^(ajaxed|simple|old)$/");
 
+// We have to check that the thread is owned by the user.
+$is_own_thread = isset($_SESSION['own_threads']) && in_array($threadid, $_SESSION['own_threads']);
+
 $thread = thread_by_id($threadid);
-if( !$thread || !isset($thread['ltoken']) || $token != $thread['ltoken'] ) {
+if( !$thread || !isset($thread['ltoken']) || $token != $thread['ltoken'] || !$is_own_thread ) {
 	die("wrong thread");
 }
 
diff --git a/src/mibew/thread.php b/src/mibew/thread.php
index fa3ad92c..428334d7 100644
--- a/src/mibew/thread.php
+++ b/src/mibew/thread.php
@@ -35,8 +35,12 @@ if($threadid == 0 && ($token == 123 || $token == 124)) {
 	exit;
 }
 
+// If the request came from user we have to check that the thread is owned by
+// him. If the request came from operator he will be checked for login later.
+$is_own_thread = !$isuser || (isset($_SESSION['own_threads']) && in_array($threadid, $_SESSION['own_threads']));
+
 $thread = thread_by_id($threadid);
-if( !$thread || !isset($thread['ltoken']) || $token != $thread['ltoken'] ) {
+if( !$thread || !isset($thread['ltoken']) || $token != $thread['ltoken'] || !$is_own_thread ) {
 	die("wrong thread");
 }