diff options
author | marijus <mario@mariovavti.com> | 2015-02-18 10:41:38 +0100 |
---|---|---|
committer | marijus <mario@mariovavti.com> | 2015-02-18 10:41:38 +0100 |
commit | 2fbb6a5ff5c2b097e42e41ff73587127998ae86e (patch) | |
tree | 27fd3b48d6243e9c1a404e5aa070e79a2efd5c4e | |
parent | e00be4de2353e1ca58570bf37fd247ff99fa549f (diff) | |
download | volse-hubzilla-2fbb6a5ff5c2b097e42e41ff73587127998ae86e.tar.gz volse-hubzilla-2fbb6a5ff5c2b097e42e41ff73587127998ae86e.tar.bz2 volse-hubzilla-2fbb6a5ff5c2b097e42e41ff73587127998ae86e.zip |
do not send activity to channels with no permission to view filestorage
-rw-r--r-- | include/attach.php | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/include/attach.php b/include/attach.php index f973102e8..43b56e4f6 100644 --- a/include/attach.php +++ b/include/attach.php @@ -974,6 +974,11 @@ function file_activity($channel_id, $object, $allow_cid, $allow_gid, $deny_cid, if(!$object) return; + //filter out receivers which do not have permission to view filestorage + $arr_allow_cid = expand_acl($allow_cid); + $arr_allow_cid = check_list_permissions($channel_id, $arr_allow_cid, 'view_storage'); + $allow_cid = perms2str($arr_allow_cid); + $is_dir = (($object['flags'] & ATTACH_FLAG_DIR) ? true : false); //do not send activity for folders for now @@ -987,6 +992,9 @@ function file_activity($channel_id, $object, $allow_cid, $allow_gid, $deny_cid, $r_perms = recursive_activity_recipients($allow_cid, $allow_gid, $deny_cid, $deny_gid, $folder_hash); + //filter out receivers which do not have permission to view filestorage + $r_perms['allow_cid'] = check_list_permissions($channel_id, $r_perms['allow_cid'], 'view_storage'); + $allow_cid = perms2str($r_perms['allow_cid']); $allow_gid = perms2str($r_perms['allow_gid']); $deny_cid = perms2str($r_perms['deny_cid']); @@ -999,7 +1007,6 @@ function file_activity($channel_id, $object, $allow_cid, $allow_gid, $deny_cid, $objtype = ACTIVITY_OBJ_FILE; $item_flags = ITEM_WALL|ITEM_ORIGIN; -; $private = (($allow_cid || $allow_gid || $deny_cid || $deny_gid) ? 1 : 0); @@ -1157,6 +1164,13 @@ function recursive_activity_recipients($allow_cid, $allow_gid, $deny_cid, $deny_ $arr_allow_cid = expand_acl($allow_cid); $arr_allow_gid = expand_acl($allow_gid); + + //turn allow_gid into allow_cid's + foreach($arr_allow_gid as $gid) { + $in_group = in_group($gid); + $arr_allow_cid = array_unique(array_merge($arr_allow_cid, $in_group)); + } + $arr_deny_cid = expand_acl($deny_cid); $arr_deny_gid = expand_acl($deny_gid); @@ -1261,10 +1275,15 @@ function recursive_activity_recipients($allow_cid, $allow_gid, $deny_cid, $deny_ } function in_group($group_id) { - $r = q("SELECT xchan FROM group_member left join groups on group_member.gid = group.id WHERE hash = '%s' ", + //TODO: make these two queries one with a join. + $x = q("SELECT id FROM groups WHERE hash = '%s'", dbesc($group_id) ); + $r = q("SELECT xchan FROM group_member WHERE gid = %d", + intval($x[0]['id']) + ); + foreach($r as $ig) { $group_members[] = $ig['xchan']; } |