Fix #8090 wrong wall message delete

chamilo · Feb 16, 2016 · 9b9de17 · 9b9de17
1 parent 4aaf4b2
commit 9b9de17
Showing 1 changed file with 13 additions and 4 deletions.
diff --git a/main/social/profile.php b/main/social/profile.php
@@ -50,10 +50,19 @@
     exit;
 
 } else if (isset($_GET['messageId'])) {
-    $messageId = Security::remove_XSS($_GET['messageId']);
-    $status = SocialManager::deleteMessage($messageId);
-    header('Location: ' . api_get_path(WEB_CODE_PATH) . 'social/profile.php');
-    exit;
+    $messageId = intval($_GET['messageId']);
+    $messageInfo = MessageManager::get_message_by_id($messageId);
+    if (!empty($messageInfo)) {
+        // I can only delete messages of my own wall
+        if ($messageInfo['user_receiver_id'] == $user_id) {
+            $status = SocialManager::deleteMessage($messageId);
+
+            Display::addFlash(Display::return_message(get_lang('MessageDeleted')));
+            header('Location: ' . api_get_path(WEB_CODE_PATH) . 'social/profile.php');
+            exit;
+        }
+    }
+    api_not_allowed(true);
 
 } else if (isset($_GET['u'])) { //I'm your friend? I can see your profile?
     $user_id = intval($_GET['u']);