feed debugger: only allow debugging users own feeds

[tt-rss.git] / classes / feeds.php

diff --git a/classes/feeds.php b/classes/feeds.php
index 70e8ade939655a8cb8ee218c561a922d88f9bcca..95987f7334d7c1a6f02a7c1a700de4f1f5c53f77 100755 (executable)
--- a/classes/feeds.php
+++ b/classes/feeds.php
@@ -1195,16 +1195,24 @@ class Feeds extends Handler_Protected {
                @$do_update = $_REQUEST["action"] == "do_update";
                $csrf_token = $_REQUEST["csrf_token"];
 
+               $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE id = ? AND owner_uid = ?");
+               $sth->execute([$feed_id, $_SESSION['uid']]);
+
+               if (!$sth->fetch()) {
+                   print "Access denied.";
+                   return;
+        }
+
                $refetch_checked = isset($_REQUEST["force_refetch"]) ? "checked" : "";
                $rehash_checked = isset($_REQUEST["force_rehash"]) ? "checked" : "";
 
                ?>
                <html>
                <head>
-                       <link rel="stylesheet" type="text/css" href="css/utility.css">
+                       <?php echo stylesheet_tag("css/default.css") ?>
                        <title>Feed Debugger</title>
                </head>
-               <body class="small_margins">
+               <body class="small_margins ttrss_utility claro">
                <h1>Feed Debugger: <?php echo "$feed_id: " . $this->getFeedTitle($feed_id) ?></h1>
                <form method="GET" action="">
                        <input type="hidden" name="op" value="feeds">