API: fix sender/recipient of PMs: check api_user before get user info.
To throw ForbiddenException and pass tests
This commit is contained in:
parent
c015bb1b77
commit
e3ee9ee501
|
@ -3700,7 +3700,9 @@ api_register_func('api/direct_messages/destroy', 'api_direct_messages_destroy',
|
|||
function api_direct_messages_box($type, $box, $verbose)
|
||||
{
|
||||
$a = get_app();
|
||||
|
||||
if (api_user() === false) {
|
||||
throw new ForbiddenException();
|
||||
}
|
||||
// params
|
||||
$count = (x($_GET, 'count') ? $_GET['count'] : 20);
|
||||
$page = (x($_REQUEST, 'page') ? $_REQUEST['page'] -1 : 0);
|
||||
|
@ -3722,7 +3724,7 @@ function api_direct_messages_box($type, $box, $verbose)
|
|||
unset($_GET["screen_name"]);
|
||||
|
||||
$user_info = api_get_user($a);
|
||||
if (api_user() === false || $user_info === false) {
|
||||
if ($user_info === false) {
|
||||
throw new ForbiddenException();
|
||||
}
|
||||
$profile_url = $user_info["url"];
|
||||
|
|
Loading…
Reference in New Issue
Block a user