diff options
author | Aaron Parecki <aaron@parecki.com> | 2017-02-12 20:26:33 -0800 |
---|---|---|
committer | Aaron Parecki <aaron@parecki.com> | 2017-02-12 20:26:33 -0800 |
commit | 5f89ca0552ba69d94af950503bf915bc19d633b1 (patch) | |
tree | ad7b83bdf1cf60dd12c15bcab467a2c816067212 /controllers/controllers.php | |
parent | 43e8a1ef8d7586422b5d164204a57bdd5938a6d1 (diff) |
limit autosubmit tokens to the same user
Diffstat (limited to 'controllers/controllers.php')
-rw-r--r-- | controllers/controllers.php | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/controllers/controllers.php b/controllers/controllers.php index 10dd9a1..5437ad7 100644 --- a/controllers/controllers.php +++ b/controllers/controllers.php @@ -136,7 +136,12 @@ $app->get('/favorite', function() use($app) { if(array_key_exists('token', $params)) { try { $data = JWT::decode($params['token'], Config::$jwtSecret, ['HS256']); - $autosubmit = isset($data->autosubmit) && $data->autosubmit; + if(isset($data->autosubmit) && $data->autosubmit) { + // Only allow this token to be used for the user who created it + if($data->user_id == $_SESSION['user_id']) { + $autosubmit = true; + } + } } catch(Exception $e) { } } |