feed debugger: only allow debugging users own feeds

author: Andrew Dolgov <[email protected]> 2017-12-03 13:35:18 +0300
committer: Andrew Dolgov <[email protected]> 2017-12-03 13:35:18 +0300
commit: 1f16f9b8ae77bcd2f3610f6e6e44bd2a24d3a660 (patch)
tree: 51448f858eeeb69c9ce7ecbcbaca8cce8748993f /classes
parent: 93e70e36c2420e62fdaf229e054aadd7bc981744 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/classes/feeds.php b/classes/feeds.php
index 30d26f361..95987f733 100755
--- a/classes/feeds.php
+++ b/classes/feeds.php
@@ -1195,6 +1195,14 @@ class Feeds extends Handler_Protected {
 		@$do_update = $_REQUEST["action"] == "do_update";
 		$csrf_token = $_REQUEST["csrf_token"];
 
+		$sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE id = ? AND owner_uid = ?");
+		$sth->execute([$feed_id, $_SESSION['uid']]);
+
+		if (!$sth->fetch()) {
+		    print "Access denied.";
+		    return;
+        }
+
 		$refetch_checked = isset($_REQUEST["force_refetch"]) ? "checked" : "";
 		$rehash_checked = isset($_REQUEST["force_rehash"]) ? "checked" : "";
author	Andrew Dolgov <[email protected]>	2017-12-03 13:35:18 +0300
committer	Andrew Dolgov <[email protected]>	2017-12-03 13:35:18 +0300
commit	1f16f9b8ae77bcd2f3610f6e6e44bd2a24d3a660 (patch)
tree	51448f858eeeb69c9ce7ecbcbaca8cce8748993f /classes
parent	93e70e36c2420e62fdaf229e054aadd7bc981744 (diff)