From 88281dc99af5f952f6a1f565d113886e56232aa6 Mon Sep 17 00:00:00 2001
From: xiaomlove <i353856593@163.com>
Date: Mon, 29 Apr 2024 01:41:55 +0800
Subject: [PATCH] takeconfirm.php check permission

---
 public/takeconfirm.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/public/takeconfirm.php b/public/takeconfirm.php
index aecbd393..c186e3fb 100644
--- a/public/takeconfirm.php
+++ b/public/takeconfirm.php
@@ -5,6 +5,8 @@ require_once(get_langfile_path());
 loggedinorreturn();
 $id =  isset($_POST['id']) ? intval($_POST['id']) : (isset($_GET['id']) ? intval($_GET['id']) : die());
 int_check($id,true);
+if (($CURUSER['id'] != $id && !user_can('viewinvite')) || !is_valid_id($id))
+    stderr($lang_functions['std_sorry'],$lang_functions['std_permission_denied'], true, false);
 $email = unesc(htmlspecialchars(trim($_POST["email"])));
 if(!empty($_POST['conusr'])) {
 //    sql_query("UPDATE users SET status = 'confirmed', editsecret = '' WHERE id IN (" . implode(", ", $_POST['conusr']) . ") AND status='pending'");