valvin
/
ttrss
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feed debugger: only allow debugging users own feeds

This commit is contained in:
Andrew Dolgov 2017-12-03 13:35:18 +03:00
parent 93e70e36c2
commit 1f16f9b8ae
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
classes/feeds.php
View File

@ -1195,6 +1195,14 @@ class Feeds extends Handler_Protected {
@$do_update = $_REQUEST["action"] == "do_update"; @$do_update = $_REQUEST["action"] == "do_update";
$csrf_token = $_REQUEST["csrf_token"]; $csrf_token = $_REQUEST["csrf_token"];
$sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE id = ? AND owner_uid = ?");
$sth->execute([$feed_id, $_SESSION['uid']]);
if (!$sth->fetch()) {
print "Access denied.";
return;
}
$refetch_checked = isset($_REQUEST["force_refetch"]) ? "checked" : ""; $refetch_checked = isset($_REQUEST["force_refetch"]) ? "checked" : "";
$rehash_checked = isset($_REQUEST["force_rehash"]) ? "checked" : ""; $rehash_checked = isset($_REQUEST["force_rehash"]) ? "checked" : "";