API: Only allow repeating of public items

author Michael Vogel <icarus@dabo.de>

Mon, 25 Jan 2016 21:35:18 +0000 (22:35 +0100)

committer Michael Vogel <icarus@dabo.de>

Mon, 25 Jan 2016 21:35:18 +0000 (22:35 +0100)
author Michael Vogel <icarus@dabo.de>
Mon, 25 Jan 2016 21:35:18 +0000 (22:35 +0100)
committer Michael Vogel <icarus@dabo.de>
Mon, 25 Jan 2016 21:35:18 +0000 (22:35 +0100)
diff --git a/include/api.php b/include/api.php

index 3bc7c8bab90db41ff9e4401c8763747abd0a112b..4d206da28e771d2de71a16df9e9d1a010b99ed30 100644 (file)
--- a/include/api.php
+++ b/include/api.php
@@ -1551,6 +1551,8 @@
                         WHERE `item`.`visible` = 1 and `item`.`moderated` = 0 AND `item`.`deleted` = 0
                         AND `contact`.`id` = `item`.`contact-id`
                         AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0
+                       AND NOT `item`.`private` AND `item`.`allow_cid` = '' AND `item`.`allow`.`gid` = ''
+                       AND `item`.`deny_cid` = '' AND `item`.`deny_gid` = ''
                         $sql_extra
                         AND `item`.`id`=%d",
                         intval($id)
@@ -1579,7 +1581,8 @@
                                 $_REQUEST["source"] = api_source();
  
                         item_post($a);
-               }
+               } else
+                       throw new ForbiddenException();
  
                 // this should output the last post (the one we just posted).
                 $called_api = null;
author	Michael Vogel <icarus@dabo.de>
	Mon, 25 Jan 2016 21:35:18 +0000 (22:35 +0100)
committer	Michael Vogel <icarus@dabo.de>
	Mon, 25 Jan 2016 21:35:18 +0000 (22:35 +0100)