prevent session modification in public/share

author Andrew Dolgov <fox@madoka.volgo-balt.ru>

Thu, 7 Jun 2012 06:09:07 +0000 (10:09 +0400)

committer Andrew Dolgov <fox@madoka.volgo-balt.ru>

Thu, 7 Jun 2012 06:09:16 +0000 (10:09 +0400)
author Andrew Dolgov <fox@madoka.volgo-balt.ru>
Thu, 7 Jun 2012 06:09:07 +0000 (10:09 +0400)
committer Andrew Dolgov <fox@madoka.volgo-balt.ru>
Thu, 7 Jun 2012 06:09:16 +0000 (10:09 +0400)
diff --git a/classes/public_handler.php b/classes/public_handler.php

index 7db341458bc89bcdd22e6f3c524563212ad12c6b..51ba48fed75d6312cb4c17da028ee694645c65ef 100644 (file)
--- a/classes/public_handler.php
+++ b/classes/public_handler.php
@@ -256,9 +256,7 @@ class Public_Handler extends Handler {
                         $id = db_fetch_result($result, 0, "ref_id");
                         $owner_uid = db_fetch_result($result, 0, "owner_uid");
  
-                       $_SESSION["uid"] = $owner_uid;
-                       $article = format_article($this->link, $id, false, true);
-                       $_SESSION["uid"] = "";
+                       $article = format_article($this->link, $id, false, true, $owner_uid);
  
                         print_r($article['content']);
  
diff --git a/include/functions.php b/include/functions.php

index 5eb5b97af591e4e1a2e351c313a6f7e440f06d62..3ad438d866f0d5862c8398783ee5bef07b61fad7 100644 (file)
--- a/include/functions.php
+++ b/include/functions.php
@@ -3102,7 +3102,7 @@
  
                         if ($tag_cache === false) {
                                 $result = db_query($link, "SELECT tag_cache FROM ttrss_user_entries
-                                       WHERE ref_id = '$id' AND owner_uid = " . $_SESSION["uid"]);
+                                       WHERE ref_id = '$id' AND owner_uid = $owner_uid");
  
                                 $tag_cache = db_fetch_result($result, 0, "tag_cache");
                         }
@@ -3125,7 +3125,7 @@
  
                                 db_query($link, "UPDATE ttrss_user_entries
                                         SET tag_cache = '$tags_str' WHERE ref_id = '$id'
-                                       AND owner_uid = " . $_SESSION["uid"]);
+                                       AND owner_uid = $owner_uid");
                         }
  
                         if ($memcache) $memcache->add($obj_id, $tags, 0, 3600);
@@ -3251,7 +3251,9 @@
                 return $entry;
         }
  
-       function format_article($link, $id, $mark_as_read = true, $zoom_mode = false) {
+       function format_article($link, $id, $mark_as_read = true, $zoom_mode = false, $owner_uid = false) {
+
+               if (!$owner_uid) $owner_uid = $_SESSION["uid"];
  
                 $rv = array();
  
@@ -3270,7 +3272,7 @@
                 //if (!$zoom_mode) { print "<article id='$id'><![CDATA["; };
  
                 $result = db_query($link, "SELECT rtl_content, always_display_enclosures FROM ttrss_feeds
-                       WHERE id = '$feed_id' AND owner_uid = " . $_SESSION["uid"]);
+                       WHERE id = '$feed_id' AND owner_uid = $owner_uid");
  
                 if (db_num_rows($result) == 1) {
                         $rtl_content = sql_bool_to_bool(db_fetch_result($result, 0, "rtl_content"));
@@ -3291,9 +3293,9 @@
                 if ($mark_as_read) {
                         $result = db_query($link, "UPDATE ttrss_user_entries
                                 SET unread = false,last_read = NOW()
-                               WHERE ref_id = '$id' AND owner_uid = " . $_SESSION["uid"]);
+                               WHERE ref_id = '$id' AND owner_uid = $owner_uid");
  
-                       ccache_update($link, $feed_id, $_SESSION["uid"]);
+                       ccache_update($link, $feed_id, $owner_uid);
                 }
  
                 $result = db_query($link, "SELECT title,link,content,feed_id,comments,int_id,
@@ -3306,7 +3308,7 @@
                         orig_feed_id,
                         note
                         FROM ttrss_entries,ttrss_user_entries
-                       WHERE   id = '$id' AND ref_id = id AND owner_uid = " . $_SESSION["uid"]);
+                       WHERE   id = '$id' AND ref_id = id AND owner_uid = $owner_uid");
  
                 if ($result) {
  
@@ -3360,7 +3362,7 @@
                         }
  
                         $parsed_updated = make_local_datetime($link, $line["updated"], true,
-                               false, true);
+                               $owner_uid, true);
  
                         $rv['content'] .= "<div class=\"postDate$rtl_class\">$parsed_updated</div>";
  
@@ -3378,7 +3380,7 @@
                         $tag_cache = $line["tag_cache"];
  
                         if (!$tag_cache)
-                               $tags = get_article_tags($link, $id);
+                               $tags = get_article_tags($link, $id, $owner_uid);
                         else
                                 $tags = explode(",", $tag_cache);
  
@@ -3472,7 +3474,7 @@
  
                         $rv['content'] .= "<div class=\"postContent\">";
  
-                       $article_content = sanitize($link, $line["content"], false, false,
+                       $article_content = sanitize($link, $line["content"], false, $owner_uid,
                                 $feed_site_url);
  
                         $rv['content'] .= $article_content;
author	Andrew Dolgov <fox@madoka.volgo-balt.ru>
	Thu, 7 Jun 2012 06:09:07 +0000 (10:09 +0400)
committer	Andrew Dolgov <fox@madoka.volgo-balt.ru>
	Thu, 7 Jun 2012 06:09:16 +0000 (10:09 +0400)
classes/public_handler.php		patch \| blob \| blame \| history
include/functions.php		patch \| blob \| blame \| history