summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAaron Parecki <aaron@parecki.com>2017-02-12 20:26:33 -0800
committerAaron Parecki <aaron@parecki.com>2017-02-12 20:26:33 -0800
commit5f89ca0552ba69d94af950503bf915bc19d633b1 (patch)
treead7b83bdf1cf60dd12c15bcab467a2c816067212
parent43e8a1ef8d7586422b5d164204a57bdd5938a6d1 (diff)
limit autosubmit tokens to the same user
-rw-r--r--controllers/controllers.php7
1 files changed, 6 insertions, 1 deletions
diff --git a/controllers/controllers.php b/controllers/controllers.php
index 10dd9a1..5437ad7 100644
--- a/controllers/controllers.php
+++ b/controllers/controllers.php
@@ -136,7 +136,12 @@ $app->get('/favorite', function() use($app) {
if(array_key_exists('token', $params)) {
try {
$data = JWT::decode($params['token'], Config::$jwtSecret, ['HS256']);
- $autosubmit = isset($data->autosubmit) && $data->autosubmit;
+ if(isset($data->autosubmit) && $data->autosubmit) {
+ // Only allow this token to be used for the user who created it
+ if($data->user_id == $_SESSION['user_id']) {
+ $autosubmit = true;
+ }
+ }
} catch(Exception $e) {
}
}