Merge pull request #418 from jmankiewicz/mod-profpicperm

Patch for Issue #410

3 files changed, 133 insertions, 10 deletions

diff --git a/mod/connedit.php b/mod/connedit.php
index 2719b7732..198a66b56 100644
--- a/mod/connedit.php
+++ b/mod/connedit.php
@@ -1,5 +1,11 @@
 <?php
 
+/* @file connedit.php
+ * @brief In this file the connection-editor form is generated and evaluated.
+ *
+ *
+ */
+
 require_once('include/Contact.php');
 require_once('include/socgraph.php');
 require_once('include/contact_selectors.php');
@@ -8,6 +14,11 @@ require_once('include/contact_widgets.php');
 require_once('include/zot.php');
 require_once('include/widgets.php');
 
+/* @brief Initialize the connection-editor
+ *
+ *
+ */
+
 function connedit_init(&$a) {
 
 	if(! local_user())
@@ -31,6 +42,10 @@ function connedit_init(&$a) {
 
 }
 
+/* @brief Evaluate posted values and set changes
+ *
+ */
+
 function connedit_post(&$a) {
 
 	if(! local_user())
@@ -81,7 +96,7 @@ function connedit_post(&$a) {
 		if(strpos($k,'perms_') === 0) {
 			$abook_my_perms += $v;
 		}
-	}			
+	}
 
 	$abook_flags = $orig_record[0]['abook_flags'];
 	$new_friend = false;
@@ -103,6 +118,15 @@ function connedit_post(&$a) {
 		intval(local_user())
 	);
 
+	if($orig_record[0]['abook_profile'] != $profile_id) { //Update profile photo permissions
+
+                logger('As a new profile was assigned updateing profile photos');
+                require_once('mod/profile_photo.php');
+                profile_photo_set_profile_perms($profile_id);
+
+        }
+
+
 	if($r)
 		info( t('Connection updated.') . EOL);
 	else
@@ -114,7 +138,7 @@ function connedit_post(&$a) {
 	}
 
 	if($new_friend) {
-		$channel = $a->get_channel();		
+		$channel = $a->get_channel();
 		$default_group = $channel['channel_default_group'];
 		if($default_group) {
 			require_once('include/group.php');
@@ -158,6 +182,11 @@ function connedit_post(&$a) {
 
 }
 
+/* @brief Clone connection
+ *
+ *
+ */
+
 function connedit_clone(&$a) {
 
 		if(! $a->poi)
@@ -171,6 +200,10 @@ function connedit_clone(&$a) {
 		build_sync_packet(0 /* use the current local_user */, array('abook' => array($clone)));
 }
 
+/* @brief Generate content of connection edit page
+ *
+ *
+ */
 
 function connedit_content(&$a) {
 
diff --git a/mod/profile_photo.php b/mod/profile_photo.php
index 876e3a931..c587b9606 100644
--- a/mod/profile_photo.php
+++ b/mod/profile_photo.php
@@ -1,7 +1,65 @@
 <?php
 
+/* @file profile_photo.php
+   @brief Module-file with functions for handling of profile-photos
+
+*/
+
 require_once('include/photo/photo_driver.php');
 
+/* @brief Function for sync'ing  permissions of profile-photos and their profile
+*
+*  @param $profileid The id number of the profile to sync
+*  @return void
+*/
+
+function profile_photo_set_profile_perms($profileid = '') {
+
+	$allowcid = '';
+	if (x($profileid)) {
+
+		$r = q("SELECT photo, profile_guid, id, is_default, uid  FROM profile WHERE profile.id = %d OR profile.profile_guid = '%s' LIMIT 1", intval($profileid), dbesc($profileid));
+
+	} else {
+
+		logger('Resetting permissions on default-profile-photo for user'.local_user());
+		$r = q("SELECT photo, profile_guid, id, is_default, uid  FROM profile WHERE profile.uid = %d AND is_default = 1 LIMIT 1", intval(local_user()) ); //If no profile is given, we update the default profile
+	}
+
+	$profile = $r[0];
+	if(x($profile['id']) && x($profile['photo'])) { 
+	       	preg_match("@\w*(?=-\d*$)@i", $profile['photo'], $resource_id);
+	       	$resource_id = $resource_id[0];
+
+		if (intval($profile['is_default']) != 1) {
+			$r0 = q("SELECT channel_hash FROM channel WHERE channel_id = %d LIMIT 1", intval(local_user()) );
+			$r1 = q("SELECT abook.abook_xchan FROM abook WHERE abook_profile = %d ", intval($profile['id'])); //Should not be needed in future. Catches old int-profile-ids.
+			$r2 = q("SELECT abook.abook_xchan FROM abook WHERE abook_profile = '%s'", dbesc($profile['profile_guid']));
+			$allowcid = "<" . $r0[0]['channel_hash'] . ">";
+			foreach ($r1 as $entry) {
+				$allowcid .= "<" . $entry['abook_xchan'] . ">"; 
+			}
+			foreach ($r2 as $entry) {
+               	                $allowcid .= "<" . $entry['abook_xchan'] . ">";
+	                      	}
+
+			q("UPDATE `photo` SET allow_cid = '%s' WHERE resource_id = '%s' AND uid = %d",dbesc($allowcid),dbesc($resource_id),intval($profile['uid']));
+
+		} else {
+			q("UPDATE `photo` SET allow_cid = '' WHERE profile = 1 AND uid = %d",intval($profile['uid'])); //Reset permissions on default profile picture to public
+		}
+	}
+
+	return;
+}
+
+/* @brief Initalize the profile-photo edit view
+ *
+ * @param $a Current application
+ * @return void
+ *
+ */
+
 function profile_photo_init(&$a) {
 
 	if(! local_user()) {
@@ -13,6 +71,12 @@ function profile_photo_init(&$a) {
 
 }
 
+/* @brief Evaluate posted values
+ *
+ * @param $a Current application
+ * @return void
+ *
+ */
 
 function profile_photo_post(&$a) {
 
@@ -142,6 +206,11 @@ function profile_photo_post(&$a) {
 
 				// Update directory in background
 				proc_run('php',"include/directory.php",$channel['channel_id']);
+
+				// Now copy profile-permissions to pictures, to prevent privacyleaks by automatically created folder 'Profile Pictures'
+
+                                profile_photo_set_profile_perms($_REQUEST['profile']);
+
 			}
 			else
 				notice( t('Unable to process image') . EOL);
@@ -179,6 +248,13 @@ function profile_photo_post(&$a) {
 	
 }
 
+/* @brief Generate content of profile-photo view
+ *
+ * @param $a Current application
+ * @return void
+ *
+ */
+
 
 if(! function_exists('profile_photo_content')) {
 function profile_photo_content(&$a) {
@@ -230,7 +306,7 @@ function profile_photo_content(&$a) {
 				intval(PHOTO_PROFILE),
 				intval(PHOTO_PROFILE),
 				intval(local_user()));
-			
+
 			// set all sizes of this one as profile photos
 			$r = q("UPDATE photo SET profile = 1 WHERE uid = %d AND resource_id = '%s'",
 				intval(local_user()),
@@ -249,7 +325,8 @@ function profile_photo_content(&$a) {
 				dbesc($channel['xchan_hash'])
 			);
 
-			proc_run('php','include/directory.php',local_user());			
+			profile_photo_set_profile_perms(); //Reset default photo permissions to public
+			proc_run('php','include/directory.php',local_user());
 			goaway($a->get_baseurl() . '/profiles');
 		}
 
@@ -273,7 +350,7 @@ function profile_photo_content(&$a) {
 	);
 
 	if(! x($a->data,'imagecrop')) {
-	
+
 		$tpl = get_markup_template('profile_photo.tpl');
 
 		$o .= replace_macros($tpl,array(
@@ -310,6 +387,14 @@ function profile_photo_content(&$a) {
 	return; // NOTREACHED
 }}
 
+/* @brief Generate the UI for photo-cropping
+ *
+ * @param $a Current application
+ * @param $ph Photo-Factory
+ * @return void
+ *
+ */
+
 
 if(! function_exists('profile_photo_crop_ui_head')) {
 function profile_photo_crop_ui_head(&$a, $ph){
@@ -346,7 +431,7 @@ function profile_photo_crop_ui_head(&$a, $ph){
 		$p['scale'] = 1;
 
 		$r = $ph->save($p);
-		
+
 		if($r === false)
 			notice( sprintf(t('Image size reduction [%s] failed.'),"640") . EOL );
 		else
diff --git a/mod/profperm.php b/mod/profperm.php
index 915f2a994..197062936 100644
--- a/mod/profperm.php
+++ b/mod/profperm.php
@@ -10,7 +10,7 @@ function profperm_init(&$a) {
 	$channel = $a->get_channel();
 	$which = $channel['channel_address'];
 
-	$profile = $a->argv[1];		
+	$profile = $a->argv[1];
 
 	profile_load($a,$which,$profile);
 
@@ -89,6 +89,11 @@ function profperm_content(&$a) {
 
 			}
 
+
+			//Time to update the permissions on the profile-pictures as well
+			require_once('mod/profile_photo.php');
+			profile_photo_set_profile_perms($profile['id']);
+
 			$r = q("SELECT * FROM abook left join xchan on abook_xchan = xchan_hash WHERE abook_channel = %d AND abook_profile = '%s'",
 				intval(local_user()),
 				dbesc($profile['profile_guid'])
@@ -111,9 +116,9 @@ function profperm_content(&$a) {
 	}
 
 	$o .= '<div id="prof-update-wrapper">';
-	if($change) 
+	if($change)
 		$o = '';
-	
+
 	$o .= '<div id="prof-members-title">';
 	$o .= '<h3>' . t('Visible To') . '</h3>';
 	$o .= '</div>';
@@ -134,7 +139,7 @@ function profperm_content(&$a) {
 	$o .= '<h3>' . t("All Connections") . '</h3>';
 	$o .= '</div>';
 	$o .= '<div id="prof-all-contacts">';
-		
+
 		$r = abook_connections(local_user());
 
 		if($r) {