From e3ee9ee501f6a02ba64b95cd593f7f2cbffa1631 Mon Sep 17 00:00:00 2001
From: fabrixxm <fabrix.xm@gmail.com>
Date: Mon, 18 Jun 2018 11:55:02 +0200
Subject: [PATCH] API: fix sender/recipient of PMs: check api_user before get
 user info.

To throw ForbiddenException and pass tests
---
 include/api.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/include/api.php b/include/api.php
index 6e704cb125..93a158b710 100644
--- a/include/api.php
+++ b/include/api.php
@@ -3700,7 +3700,9 @@ api_register_func('api/direct_messages/destroy', 'api_direct_messages_destroy',
 function api_direct_messages_box($type, $box, $verbose)
 {
 	$a = get_app();
-
+	if (api_user() === false) {
+		throw new ForbiddenException();
+	}
 	// params
 	$count = (x($_GET, 'count') ? $_GET['count'] : 20);
 	$page = (x($_REQUEST, 'page') ? $_REQUEST['page'] -1 : 0);
@@ -3722,7 +3724,7 @@ function api_direct_messages_box($type, $box, $verbose)
 	unset($_GET["screen_name"]);
 
 	$user_info = api_get_user($a);
-	if (api_user() === false || $user_info === false) {
+	if ($user_info === false) {
 		throw new ForbiddenException();
 	}
 	$profile_url = $user_info["url"];