mirror of
				https://github.com/Mibew/mibew.git
				synced 2025-10-26 16:26:50 +03:00 
			
		
		
		
	Restrict access to a thread for third-party users
See issue #71 for details
This commit is contained in:
		
							parent
							
								
									d9faa8d80a
								
							
						
					
					
						commit
						ed4f515800
					
				| @ -132,6 +132,12 @@ if( !isset($_GET['token']) || !isset($_GET['thread']) ) { | ||||
| 		$thread = create_thread($groupid,$visitor['name'], $remoteHost, $referrer,$current_locale,$visitor['id'], $userbrowser,$state_loading,$link); | ||||
| 		$_SESSION['threadid'] = $thread['threadid']; | ||||
| 
 | ||||
| 		// Store own thread ids to restrict access for other people
 | ||||
| 		if (!isset($_SESSION['own_threads'])) { | ||||
| 			$_SESSION['own_threads'] = array(); | ||||
| 		} | ||||
| 		$_SESSION['own_threads'][] = $thread['threadid']; | ||||
| 
 | ||||
| 		if( $referrer ) { | ||||
| 			post_message_($thread['threadid'],$kind_for_agent,getstring2('chat.came.from',array($referrer),true),$link); | ||||
| 		} | ||||
| @ -163,8 +169,11 @@ $token = verifyparam( "token", "/^\d{1,10}$/"); | ||||
| $threadid = verifyparam( "thread", "/^\d{1,10}$/"); | ||||
| $level = verifyparam( "level", "/^(ajaxed|simple|old)$/"); | ||||
| 
 | ||||
| // We have to check that the thread is owned by the user.
 | ||||
| $is_own_thread = isset($_SESSION['own_threads']) && in_array($threadid, $_SESSION['own_threads']); | ||||
| 
 | ||||
| $thread = thread_by_id($threadid); | ||||
| if( !$thread || !isset($thread['ltoken']) || $token != $thread['ltoken'] ) { | ||||
| if( !$thread || !isset($thread['ltoken']) || $token != $thread['ltoken'] || !$is_own_thread ) { | ||||
| 	die("wrong thread"); | ||||
| } | ||||
| 
 | ||||
|  | ||||
| @ -35,8 +35,12 @@ if($threadid == 0 && ($token == 123 || $token == 124)) { | ||||
| 	exit; | ||||
| } | ||||
| 
 | ||||
| // If the request came from user we have to check that the thread is owned by
 | ||||
| // him. If the request came from operator he will be checked for login later.
 | ||||
| $is_own_thread = !$isuser || (isset($_SESSION['own_threads']) && in_array($threadid, $_SESSION['own_threads'])); | ||||
| 
 | ||||
| $thread = thread_by_id($threadid); | ||||
| if( !$thread || !isset($thread['ltoken']) || $token != $thread['ltoken'] ) { | ||||
| if( !$thread || !isset($thread['ltoken']) || $token != $thread['ltoken'] || !$is_own_thread ) { | ||||
| 	die("wrong thread"); | ||||
| } | ||||
| 
 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user