From 9b2582e066d578c07efcec116e0a933c52c4f7cc Mon Sep 17 00:00:00 2001
From: Michael Vogel <icarus@dabo.de>
Date: Mon, 25 Jan 2016 22:35:18 +0100
Subject: [PATCH] API: Only allow repeating of public items

---
 include/api.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/include/api.php b/include/api.php
index 3bc7c8bab9..4d206da28e 100644
--- a/include/api.php
+++ b/include/api.php
@@ -1551,6 +1551,8 @@
 			WHERE `item`.`visible` = 1 and `item`.`moderated` = 0 AND `item`.`deleted` = 0
 			AND `contact`.`id` = `item`.`contact-id`
 			AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0
+			AND NOT `item`.`private` AND `item`.`allow_cid` = '' AND `item`.`allow`.`gid` = ''
+			AND `item`.`deny_cid` = '' AND `item`.`deny_gid` = ''
 			$sql_extra
 			AND `item`.`id`=%d",
 			intval($id)
@@ -1579,7 +1581,8 @@
 				$_REQUEST["source"] = api_source();
 
 			item_post($a);
-		}
+		} else
+			throw new ForbiddenException();
 
 		// this should output the last post (the one we just posted).
 		$called_api = null;