security fix for channel?mid= per zottel

2024-09-20 09:35:11 +00:00 · 2014-01-10 00:58:53 -08:00 · 2014-01-10 00:58:53 -08:00 · 0fef87cb43
commit 0fef87cb43
parent 13d0a914c7
1 changed files with 4 additions and 2 deletions
--- a/mod/channel.php
+++ b/mod/channel.php
@ -135,9 +135,11 @@ function channel_content(&$a, $update = 0, $load = false) {

 	if(($update) && (! $load)) {
 		if ($mid) {
-			$r = q("SELECT parent AS item_id from item where mid = '%s' and uid = %d $sql_extra limit 1",
+			$r = q("SELECT parent AS item_id from item where mid = '%s' and uid = %d AND item_restrict = 0
+				AND (item_flags &  %d) $sql_extra limit 1",
 				dbesc($mid),
-				intval($a->profile['profile_uid'])
+				intval($a->profile['profile_uid']),
+				intval(ITEM_WALL)
 			);
 		} else {
 			$r = q("SELECT distinct parent AS `item_id` from item