summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--controllers/controllers.php7
1 files changed, 6 insertions, 1 deletions
diff --git a/controllers/controllers.php b/controllers/controllers.php
index 10dd9a1..5437ad7 100644
--- a/controllers/controllers.php
+++ b/controllers/controllers.php
@@ -136,7 +136,12 @@ $app->get('/favorite', function() use($app) {
if(array_key_exists('token', $params)) {
try {
$data = JWT::decode($params['token'], Config::$jwtSecret, ['HS256']);
- $autosubmit = isset($data->autosubmit) && $data->autosubmit;
+ if(isset($data->autosubmit) && $data->autosubmit) {
+ // Only allow this token to be used for the user who created it
+ if($data->user_id == $_SESSION['user_id']) {
+ $autosubmit = true;
+ }
+ }
} catch(Exception $e) {
}
}