diff options
author | Andrew Dolgov <[email protected]> | 2017-12-03 13:35:18 +0300 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2017-12-03 13:35:18 +0300 |
commit | 1f16f9b8ae77bcd2f3610f6e6e44bd2a24d3a660 (patch) | |
tree | 51448f858eeeb69c9ce7ecbcbaca8cce8748993f | |
parent | 93e70e36c2420e62fdaf229e054aadd7bc981744 (diff) |
feed debugger: only allow debugging users own feeds
-rwxr-xr-x | classes/feeds.php | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/classes/feeds.php b/classes/feeds.php index 30d26f361..95987f733 100755 --- a/classes/feeds.php +++ b/classes/feeds.php @@ -1195,6 +1195,14 @@ class Feeds extends Handler_Protected { @$do_update = $_REQUEST["action"] == "do_update"; $csrf_token = $_REQUEST["csrf_token"]; + $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE id = ? AND owner_uid = ?"); + $sth->execute([$feed_id, $_SESSION['uid']]); + + if (!$sth->fetch()) { + print "Access denied."; + return; + } + $refetch_checked = isset($_REQUEST["force_refetch"]) ? "checked" : ""; $rehash_checked = isset($_REQUEST["force_rehash"]) ? "checked" : ""; |