diff options
-rw-r--r-- | controllers/controllers.php | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/controllers/controllers.php b/controllers/controllers.php index 10dd9a1..5437ad7 100644 --- a/controllers/controllers.php +++ b/controllers/controllers.php @@ -136,7 +136,12 @@ $app->get('/favorite', function() use($app) { if(array_key_exists('token', $params)) { try { $data = JWT::decode($params['token'], Config::$jwtSecret, ['HS256']); - $autosubmit = isset($data->autosubmit) && $data->autosubmit; + if(isset($data->autosubmit) && $data->autosubmit) { + // Only allow this token to be used for the user who created it + if($data->user_id == $_SESSION['user_id']) { + $autosubmit = true; + } + } } catch(Exception $e) { } } |