From 5f89ca0552ba69d94af950503bf915bc19d633b1 Mon Sep 17 00:00:00 2001 From: Aaron Parecki Date: Sun, 12 Feb 2017 20:26:33 -0800 Subject: limit autosubmit tokens to the same user --- controllers/controllers.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'controllers/controllers.php') diff --git a/controllers/controllers.php b/controllers/controllers.php index 10dd9a1..5437ad7 100644 --- a/controllers/controllers.php +++ b/controllers/controllers.php @@ -136,7 +136,12 @@ $app->get('/favorite', function() use($app) { if(array_key_exists('token', $params)) { try { $data = JWT::decode($params['token'], Config::$jwtSecret, ['HS256']); - $autosubmit = isset($data->autosubmit) && $data->autosubmit; + if(isset($data->autosubmit) && $data->autosubmit) { + // Only allow this token to be used for the user who created it + if($data->user_id == $_SESSION['user_id']) { + $autosubmit = true; + } + } } catch(Exception $e) { } } -- cgit v1.2.3