diff options
| author | friendica <info@friendica.com> | 2013-09-22 22:52:48 -0700 |
|---|---|---|
| committer | friendica <info@friendica.com> | 2013-09-22 22:52:48 -0700 |
| commit | 956d275693c451c4d9ba60751704b80257f37433 (patch) | |
| tree | 972cc4a680deea49aeae5c602ac60f1150911495 | |
| parent | 3ff96427506de4d7f230b94e333cb5f397ceb895 (diff) | |
| download | volse-hubzilla-956d275693c451c4d9ba60751704b80257f37433.tar.gz volse-hubzilla-956d275693c451c4d9ba60751704b80257f37433.tar.bz2 volse-hubzilla-956d275693c451c4d9ba60751704b80257f37433.zip | |
fixes for display and search privacy enforcement
| -rw-r--r-- | include/security.php | 46 | ||||
| -rw-r--r-- | mod/display.php | 4 | ||||
| -rw-r--r-- | mod/search.php | 62 |
3 files changed, 76 insertions, 36 deletions
diff --git a/include/security.php b/include/security.php index 4738e473b..632b8d607 100644 --- a/include/security.php +++ b/include/security.php @@ -302,16 +302,19 @@ function public_permissions_sql($observer_hash) { foreach($groups as $g) $gs .= '|<' . $g . '>'; } - $sql = sprintf( - " OR (( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s') - AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) - )) - ", - dbesc(protect_sprintf( '%<' . $observer_hash . '>%')), - dbesc($gs), - dbesc(protect_sprintf( '%<' . $observer_hash . '>%')), - dbesc($gs) - ); + $sql = ''; + if($observer_hash) { + $sql = sprintf( + " OR (( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s') + AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) + )) + ", + dbesc(protect_sprintf( '%<' . $observer_hash . '>%')), + dbesc($gs), + dbesc(protect_sprintf( '%<' . $observer_hash . '>%')), + dbesc($gs) + ); + } return $sql; } @@ -424,6 +427,29 @@ function stream_perms_api_uids($perms_min = PERMS_SITE) { $str .= ','; $str .= intval($rr); } +logger('stream_perms_api_uids: ' . $str); return $str; } +function stream_perms_xchans($perms_min = PERMS_SITE) { + $ret = array(); + if(local_user()) + $ret[] = get_observer_hash(); + $r = q("select channel_hash from channel where channel_r_stream <= %d", + intval($perms_min) + ); + if($r) + foreach($r as $rr) + if(! in_array($rr['channel_hash'],$ret)) + $ret[] = $rr['channel_hash']; + + $str = ''; + if($ret) + foreach($ret as $rr) { + if($str) + $str .= ','; + $str .= "'" . dbesc($rr) . "'"; + } +logger('stream_perms_xchans: ' . $str); + return $str; +} diff --git a/mod/display.php b/mod/display.php index d19502eb1..476087ce7 100644 --- a/mod/display.php +++ b/mod/display.php @@ -113,16 +113,18 @@ function display_content(&$a, $update = 0, $load = false) { } } if($r === null) { +dbg(1); $r = q("SELECT * from item WHERE item_restrict = 0 and mid = '%s' AND ((( `item`.`allow_cid` = '' AND `item`.`allow_gid` = '' AND `item`.`deny_cid` = '' AND `item`.`deny_gid` = '' AND item_private = 0 ) - and uid in ( " . stream_perms_api_uids() . " )) + and owner_xchan in ( " . stream_perms_xchans() . " )) $sql_extra ) group by mid limit 1", dbesc($target_item['parent_mid']) ); +dbg(0); } } diff --git a/mod/search.php b/mod/search.php index 38131f63f..1cb6cb461 100644 --- a/mod/search.php +++ b/mod/search.php @@ -183,23 +183,37 @@ function search_content(&$a,$update = 0, $load = false) { } - + $pub_sql = public_permissions_sql(get_observer_hash()); if(($update) && ($load)) { $pager_sql = sprintf(" LIMIT %d, %d ",intval($a->pager['start']), intval($a->pager['itemspage'])); -dbg(1); + if($load) { - $r = q("SELECT distinct mid, id as item_id from item - WHERE item_restrict = 0 - AND (( `item`.`allow_cid` = '' AND `item`.`allow_gid` = '' AND `item`.`deny_cid` = '' AND `item`.`deny_gid` = '' AND item_private = 0 ) - OR ( `item`.`uid` = %d )) - $sql_extra - group by mid ORDER BY created DESC $pager_sql ", - intval(local_user()), - intval(ABOOK_FLAG_BLOCKED) + $r = null; + + if(local_user()) { + $r = q("SELECT distinct mid, item.* from item + WHERE item_restrict = 0 + AND (( `item`.`allow_cid` = '' AND `item`.`allow_gid` = '' AND `item`.`deny_cid` = '' AND `item`.`deny_gid` = '' AND item_private = 0 ) + OR ( `item`.`uid` = %d )) + $sql_extra + group by mid ORDER BY created DESC $pager_sql ", + intval(local_user()), + intval(ABOOK_FLAG_BLOCKED) - ); -dbg(0); + ); + } + if($r === null) { + $r = q("SELECT distinct mid, item.* from item + WHERE item_restrict = 0 + AND ((( `item`.`allow_cid` = '' AND `item`.`allow_gid` = '' AND `item`.`deny_cid` = '' + AND `item`.`deny_gid` = '' AND item_private = 0 ) + and owner_xchan in ( " . stream_perms_xchans() . " )) + $pub_sql ) + $sql_extra + group by mid ORDER BY created DESC $pager_sql" + ); + } } else { $r = array(); @@ -208,19 +222,17 @@ dbg(0); if($r) { - $parents_str = ids_to_querystr($r,'item_id'); -dbg(1); - $items = q("SELECT `item`.*, `item`.`id` AS `item_id` - FROM `item` - WHERE item_restrict = 0 - $sql_extra and parent in ( $parents_str ) " -// intval($a->profile['profile_uid']), -// dbesc($parents_str) - ); -dbg(0); - xchan_query($items); - $items = fetch_post_tags($items,true); - $items = conv_sort($items,'created'); +// $parents_str = ids_to_querystr($r,'item_id'); + +// $items = q("SELECT `item`.*, `item`.`id` AS `item_id` +// FROM `item` +// WHERE item_restrict = 0 +// $sql_extra and parent in ( $parents_str ) " +// ); + + xchan_query($r); + $items = fetch_post_tags($r,true); +// $items = conv_sort($items,'created'); } else { $items = array(); |