feed debugger: only allow debugging users own feeds

diff --git a/classes/feeds.php b/classes/feeds.php
index 30d26f361937aa4cb95defbcfd106977ff89a231..95987f7334d7c1a6f02a7c1a700de4f1f5c53f77 100755 (executable)
--- a/classes/feeds.php
+++ b/classes/feeds.php
@@ -1195,6 +1195,14 @@ class Feeds extends Handler_Protected {
                @$do_update = $_REQUEST["action"] == "do_update";
                $csrf_token = $_REQUEST["csrf_token"];
 
+               $sth = $this->pdo->prepare("SELECT id FROM ttrss_feeds WHERE id = ? AND owner_uid = ?");
+               $sth->execute([$feed_id, $_SESSION['uid']]);
+
+               if (!$sth->fetch()) {
+                   print "Access denied.";
+                   return;
+        }
+
                $refetch_checked = isset($_REQUEST["force_refetch"]) ? "checked" : "";
                $rehash_checked = isset($_REQUEST["force_rehash"]) ? "checked" : "";