From 5f89ca0552ba69d94af950503bf915bc19d633b1 Mon Sep 17 00:00:00 2001
From: Aaron Parecki <aaron@parecki.com>
Date: Sun, 12 Feb 2017 20:26:33 -0800
Subject: [PATCH] limit autosubmit tokens to the same user

---
 controllers/controllers.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/controllers/controllers.php b/controllers/controllers.php
index 10dd9a1..5437ad7 100644
--- a/controllers/controllers.php
+++ b/controllers/controllers.php
@@ -136,7 +136,12 @@ $app->get('/favorite', function() use($app) {
     if(array_key_exists('token', $params)) {
       try {
         $data = JWT::decode($params['token'], Config::$jwtSecret, ['HS256']);
-        $autosubmit = isset($data->autosubmit) && $data->autosubmit;
+        if(isset($data->autosubmit) && $data->autosubmit) {
+          // Only allow this token to be used for the user who created it
+          if($data->user_id == $_SESSION['user_id']) {
+            $autosubmit = true;
+          }
+        }
       } catch(Exception $e) {
       }
     }