API: fix sender/recipient of PMs: check api_user before get user info.

[friendica.git] / include / api.php

diff --git a/include/api.php b/include/api.php
index af71e2f1cf2693eda373c45167c385106f2fdb9c..93a158b71016ccd1e5e0ad7b8b972e9cd3939b92 100644 (file)
--- a/include/api.php
+++ b/include/api.php
@@ -3700,12 +3700,9 @@ api_register_func('api/direct_messages/destroy', 'api_direct_messages_destroy',
 function api_direct_messages_box($type, $box, $verbose)
 {
        $a = get_app();
-       $user_info = api_get_user($a);
-
-       if (api_user() === false || $user_info === false) {
+       if (api_user() === false) {
                throw new ForbiddenException();
        }
-
        // params
        $count = (x($_GET, 'count') ? $_GET['count'] : 20);
        $page = (x($_REQUEST, 'page') ? $_REQUEST['page'] -1 : 0);
@@ -3726,6 +3723,10 @@ function api_direct_messages_box($type, $box, $verbose)
        unset($_REQUEST["screen_name"]);
        unset($_GET["screen_name"]);
 
+       $user_info = api_get_user($a);
+       if ($user_info === false) {
+               throw new ForbiddenException();
+       }
        $profile_url = $user_info["url"];
 
        // pagination