From c015bb1b7779381edc486ae1ab71eec561349e87 Mon Sep 17 00:00:00 2001 From: fabrixxm Date: Sun, 17 Jun 2018 19:57:32 +0200 Subject: [PATCH 1/2] API: fix sender/recipient of PMs --- include/api.php | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/include/api.php b/include/api.php index af71e2f1cf..6e704cb125 100644 --- a/include/api.php +++ b/include/api.php @@ -3700,11 +3700,6 @@ api_register_func('api/direct_messages/destroy', 'api_direct_messages_destroy', function api_direct_messages_box($type, $box, $verbose) { $a = get_app(); - $user_info = api_get_user($a); - - if (api_user() === false || $user_info === false) { - throw new ForbiddenException(); - } // params $count = (x($_GET, 'count') ? $_GET['count'] : 20); @@ -3726,6 +3721,10 @@ function api_direct_messages_box($type, $box, $verbose) unset($_REQUEST["screen_name"]); unset($_GET["screen_name"]); + $user_info = api_get_user($a); + if (api_user() === false || $user_info === false) { + throw new ForbiddenException(); + } $profile_url = $user_info["url"]; // pagination From e3ee9ee501f6a02ba64b95cd593f7f2cbffa1631 Mon Sep 17 00:00:00 2001 From: fabrixxm Date: Mon, 18 Jun 2018 11:55:02 +0200 Subject: [PATCH 2/2] API: fix sender/recipient of PMs: check api_user before get user info. To throw ForbiddenException and pass tests --- include/api.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/include/api.php b/include/api.php index 6e704cb125..93a158b710 100644 --- a/include/api.php +++ b/include/api.php @@ -3700,7 +3700,9 @@ api_register_func('api/direct_messages/destroy', 'api_direct_messages_destroy', function api_direct_messages_box($type, $box, $verbose) { $a = get_app(); - + if (api_user() === false) { + throw new ForbiddenException(); + } // params $count = (x($_GET, 'count') ? $_GET['count'] : 20); $page = (x($_REQUEST, 'page') ? $_REQUEST['page'] -1 : 0); @@ -3722,7 +3724,7 @@ function api_direct_messages_box($type, $box, $verbose) unset($_GET["screen_name"]); $user_info = api_get_user($a); - if (api_user() === false || $user_info === false) { + if ($user_info === false) { throw new ForbiddenException(); } $profile_url = $user_info["url"];