aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2013-09-20 17:58:11 -0700
committerfriendica <info@friendica.com>2013-09-20 17:58:11 -0700
commit1126d8f2e3ee8356cf619e9e817fb448079634e6 (patch)
tree6dcff37d5d394eaae4c68f50783cd8150fac2111
parent06389f87dfd21aee7f152650d08b272f69f17faa (diff)
downloadvolse-hubzilla-1126d8f2e3ee8356cf619e9e817fb448079634e6.tar.gz
volse-hubzilla-1126d8f2e3ee8356cf619e9e817fb448079634e6.tar.bz2
volse-hubzilla-1126d8f2e3ee8356cf619e9e817fb448079634e6.zip
hopefully this will go over a bit better - check post owner permissions as well as local owner permissions for comments during submission, since the comment was being blindly accepted on the local system due to only checking the profile owner. Also change collections query to include only top-level posts by a member of the collection.
-rwxr-xr-xinclude/items.php4
-rw-r--r--mod/item.php10
-rw-r--r--mod/network.php2
3 files changed, 13 insertions, 3 deletions
diff --git a/include/items.php b/include/items.php
index a60e3fdd6..4e8a5c46f 100755
--- a/include/items.php
+++ b/include/items.php
@@ -68,6 +68,8 @@ function can_comment_on_post($observer_xchan,$item) {
return false;
if($item['comment_policy'] === 'none')
return false;
+ if($observer_xchan === $item['author_xchan'] || $observer_xchan === $item['owner_xchan'])
+ return true;
switch($item['comment_policy']) {
case 'self':
if($observer_xchan === $item['author_xchan'] || $observer_xchan === $item['owner_xchan'])
@@ -3660,7 +3662,7 @@ function items_fetch($arr,$channel = null,$observer_hash = null,$client_mode = C
info( t('Group is empty'));
}
- $sql_extra = " AND item.parent IN ( SELECT DISTINCT parent FROM item WHERE true $sql_options AND (( author_xchan IN ( $contact_str ) OR owner_xchan in ( $contact_str)) or allow_gid like '" . protect_sprintf('%<' . dbesc($r[0]['hash']) . '>%') . "' ) and item_restrict = 0 ) ";
+ $sql_extra = " AND item.parent IN ( SELECT DISTINCT parent FROM item WHERE true $sql_options AND (( author_xchan IN ( $contact_str ) OR owner_xchan in ( $contact_str)) or allow_gid like '" . protect_sprintf('%<' . dbesc($r[0]['hash']) . '>%') . "' ) and id = parent and item_restrict = 0 ) ";
}
elseif($arr['cid'] && $uid) {
diff --git a/mod/item.php b/mod/item.php
index 895784ff9..2ebb02869 100644
--- a/mod/item.php
+++ b/mod/item.php
@@ -153,11 +153,19 @@ function item_post(&$a) {
}
+ $observer = $a->get_observer();
+
+
if($parent) {
logger('mod_item: item_post parent=' . $parent);
+ if(! can_comment_on_post($observer['xchan_hash'],$parent_item)) {
+ notice( t('Permission denied.') . EOL) ;
+ if(x($_REQUEST,'return'))
+ goaway($a->get_baseurl() . "/" . $return_path );
+ killme();
+ }
}
- $observer = $a->get_observer();
if(! perm_is_allowed($profile_uid,$observer['xchan_hash'],(($parent) ? 'post_comments' : 'post_wall'))) {
notice( t('Permission denied.') . EOL) ;
diff --git a/mod/network.php b/mod/network.php
index 0d5f57a39..ac8c38290 100644
--- a/mod/network.php
+++ b/mod/network.php
@@ -446,7 +446,7 @@ function network_content(&$a, $update = 0, $load = false) {
info( t('Group is empty'));
}
- $sql_extra = " AND item.parent IN ( SELECT DISTINCT parent FROM item WHERE true $sql_options AND (( author_xchan IN ( $contact_str ) OR owner_xchan in ( $contact_str)) or allow_gid like '" . protect_sprintf('%<' . dbesc($r[0]['hash']) . '>%') . "' ) and item_restrict = 0 ) ";
+ $sql_extra = " AND item.parent IN ( SELECT DISTINCT parent FROM item WHERE true $sql_options AND (( author_xchan IN ( $contact_str ) OR owner_xchan in ( $contact_str)) or allow_gid like '" . protect_sprintf('%<' . dbesc($r[0]['hash']) . '>%') . "' ) and id = parent and item_restrict = 0 ) ";
}