API: fix sender/recipient of PMs: check api_user before get user info.

To throw ForbiddenException and pass tests

diff --git a/include/api.php b/include/api.php
index 6e704cb125a7da7973eae31a44be5f13377457bd..93a158b71016ccd1e5e0ad7b8b972e9cd3939b92 100644 (file)
--- a/include/api.php
+++ b/include/api.php
@@ -3700,7 +3700,9 @@ api_register_func('api/direct_messages/destroy', 'api_direct_messages_destroy',
 function api_direct_messages_box($type, $box, $verbose)
 {
        $a = get_app();
-
+       if (api_user() === false) {
+               throw new ForbiddenException();
+       }
        // params
        $count = (x($_GET, 'count') ? $_GET['count'] : 20);
        $page = (x($_REQUEST, 'page') ? $_REQUEST['page'] -1 : 0);
@@ -3722,7 +3724,7 @@ function api_direct_messages_box($type, $box, $verbose)
        unset($_GET["screen_name"]);
 
        $user_info = api_get_user($a);
-       if (api_user() === false || $user_info === false) {
+       if ($user_info === false) {
                throw new ForbiddenException();
        }
        $profile_url = $user_info["url"];