Some security checks.

web/root/blogs/blog_config.js

@@ -33,6 +33,11 @@ var subject=parameters[6];
 //	exit(1);
 //}
 
+if(!msg_area.sub[msg_code].can_read) {
+	write("<html><head><title>Error</title></head><body>Error opening "+msg_code+"!</body></html>");
+	exit(1);
+}
+
 var msgbase = new MsgBase(msg_code);
 if(!msgbase.open()) {
 	write("<html><head><title>Error</title></head><body>Error opening "+msg_code+"!</body></html>");

web/root/blogs/blog_item.xjs

@@ -58,6 +58,10 @@ function not_found_error(reason)
 }
 
 var hdr=msgbase.get_msg_header(msgid);
+if(hdr==null)
+	not_found_error("no header");
+if(hdr.attr & (MSG_PRIVATE|MSG_DELETE))
+	not_found_error("not viewable");
 if(hdr.from.toUpperCase() != poster.toUpperCase())
 	not_found_error("poster");
 //if(hdr.from_ext != pnum)
@@ -126,6 +130,10 @@ while(1) {
 		}
 	}
 	hdr=msgbase.get_msg_header(msgid);
+	if(hdr==null)
+		continue;
+	if(hdr.attr & (MSG_PRIVATE|MSG_DELETE))
+		continue;
 	var body=msgbase.get_msg_body(msgid, true);
 	body=html_encode(body,true,true,false,false);
 	//body=body.split("&#13;&#10;&#13;&#10;").join("</p><p>");

web/root/blogs/msg_index.xjs

@@ -6,6 +6,8 @@
 <?xjs
 for(var grp in msg_area.grp_list) {
 	for(var sub in msg_area.grp_list[grp].sub_list) {
+		if(!msg_area.grp_list[grp].sub_list[sub].can_read)
+			continue;
 		write('<a href="'+msg_area.grp_list[grp].sub_list[sub].code+'/">'+msg_area.grp_list[grp].sub_list[sub].description+'</a><br>');
 	}
 }