aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2018-04-30 22:30:59 -0700
committerzotlabs <mike@macgirvin.com>2018-04-30 22:30:59 -0700
commit32423a7706c45d0d7187444f50eac33ca4fdfaa0 (patch)
treed96a5b4e1751b0918a20975af5903155c15dbfea
parente841e482589cfc8f9734e313350b6e2b78ea6940 (diff)
downloadvolse-hubzilla-32423a7706c45d0d7187444f50eac33ca4fdfaa0.tar.gz
volse-hubzilla-32423a7706c45d0d7187444f50eac33ca4fdfaa0.tar.bz2
volse-hubzilla-32423a7706c45d0d7187444f50eac33ca4fdfaa0.zip
parent folder permissions weren't being checked back to the cloud root directory in all cases
-rw-r--r--Zotlabs/Module/Photo.php70
-rw-r--r--include/attach.php39
2 files changed, 47 insertions, 62 deletions
diff --git a/Zotlabs/Module/Photo.php b/Zotlabs/Module/Photo.php
index 8a110f925..b3171fe75 100644
--- a/Zotlabs/Module/Photo.php
+++ b/Zotlabs/Module/Photo.php
@@ -127,69 +127,45 @@ class Photo extends \Zotlabs\Web\Controller {
}
}
- $r = q("SELECT uid FROM photo WHERE resource_id = '%s' AND imgscale = %d LIMIT 1",
+ $r = q("SELECT uid, photo_usage FROM photo WHERE resource_id = '%s' AND imgscale = %d LIMIT 1",
dbesc($photo),
intval($resolution)
);
if($r) {
-
- $allowed = (($r[0]['uid']) ? perm_is_allowed($r[0]['uid'],$observer_xchan,'view_storage') : true);
-
- $sql_extra = permissions_sql($r[0]['uid']);
- if(! $sql_extra)
- $sql_extra = ' and true ';
-
- // Only check permissions on normal photos. Those photos we don't check includes
- // profile photos, xchan photos (which are also profile photos), 'thing' photos,
- // and cover photos
-
- $sql_extra = " and (( photo_usage = 0 $sql_extra ) or photo_usage != 0 )";
+ $allowed = (-1);
+ if(intval($r[0]['photo_usage'])) {
+ $allowed = 1;
+ if(intval($r[0]['photo_usage']) === PHOTO_COVER)
+ if($resolution < PHOTO_RES_COVER_1200)
+ $allowed = (-1);
+ if(intval($r[0]['photo_usage']) === PHOTO_PROFILE)
+ if(! in_array($resolution,[4,5,6]))
+ $allowed = (-1);
+ }
+ if($allowed === (-1))
+ $allowed = attach_can_view($r[0]['uid'],$observer_xchan,$photo);
+
$channel = channelx_by_n($r[0]['uid']);
// Now we'll see if we can access the photo
- $r = q("SELECT * FROM photo WHERE resource_id = '%s' AND imgscale = %d $sql_extra LIMIT 1",
+ $e = q("SELECT * FROM photo WHERE resource_id = '%s' AND imgscale = %d $sql_extra LIMIT 1",
dbesc($photo),
intval($resolution)
);
- // viewing cover photos is allowed unless a plugin chooses to block it.
-
- if($r && intval($r[0]['photo_usage']) === PHOTO_COVER && $resolution >= PHOTO_RES_COVER_1200)
- $allowed = 1;
-
- $d = [ 'imgscale' => $resolution, 'resource_id' => $photo, 'photo' => $r, 'allowed' => $allowed ];
- call_hooks('get_photo',$d);
+ $exists = (($e) ? true : false);
- $resolution = $d['imgscale'];
- $photo = $d['resource_id'];
- $r = $d['photo'];
- $allowed = $d['allowed'];
-
- if($r && $allowed) {
- $data = dbunescbin($r[0]['content']);
- $mimetype = $r[0]['mimetype'];
- if(intval($r[0]['os_storage'])) {
+ if($exists && $allowed) {
+ $data = dbunescbin($e[0]['content']);
+ $mimetype = $e[0]['mimetype'];
+ if(intval($e[0]['os_storage'])) {
$streaming = $data;
}
}
else {
-
- // Does the picture exist? It may be a remote person with no credentials,
- // but who should otherwise be able to view it. Show a default image to let
- // them know permissions was denied. It may be possible to view the image
- // through an authenticated profile visit.
- // There won't be many completely unauthorised people seeing this because
- // they won't have the photo link, so there's a reasonable chance that the person
- // might be able to obtain permission to view it.
-
- $r = q("SELECT * FROM photo WHERE resource_id = '%s' AND imgscale = %d LIMIT 1",
- dbesc($photo),
- intval($resolution)
- );
-
- if($r) {
+ if(! $allowed) {
logger('mod_photo: forbidden. ' . \App::$query_string);
$observer = \App::get_observer();
logger('mod_photo: observer = ' . (($observer) ? $observer['xchan_addr'] : '(not authenticated)'));
@@ -201,9 +177,6 @@ class Photo extends \Zotlabs\Web\Controller {
}
}
-
-
-
if(! isset($data)) {
if(isset($resolution)) {
switch($resolution) {
@@ -295,7 +268,6 @@ class Photo extends \Zotlabs\Web\Controller {
}
killme();
- // NOTREACHED
}
}
diff --git a/include/attach.php b/include/attach.php
index 27bf0218a..0d2b43b58 100644
--- a/include/attach.php
+++ b/include/attach.php
@@ -266,14 +266,12 @@ function attach_by_hash($hash, $observer_hash, $rev = 0) {
return $ret;
}
- if(! perm_is_allowed($r[0]['uid'], $observer_hash, 'view_storage')) {
+ if(! attach_can_view($r[0]['uid'], $observer_hash, $hash)) {
$ret['message'] = t('Permission denied.');
return $ret;
}
- $sql_extra = permissions_sql($r[0]['uid'],$observer_hash);
-
- // Now we'll see if we can access the attachment
+ // We've already checked for existence and permissions
$r = q("SELECT * FROM attach WHERE hash = '%s' and uid = %d $sql_extra LIMIT 1",
dbesc($hash),
@@ -281,20 +279,12 @@ function attach_by_hash($hash, $observer_hash, $rev = 0) {
);
if(! $r) {
- $ret['message'] = t('Permission denied.');
+ $ret['message'] = t('Unknown error.');
return $ret;
}
$r[0]['content'] = dbunescbin($r[0]['content']);
- if($r[0]['folder']) {
- $x = attach_can_view_folder($r[0]['uid'],$observer_hash,$r[0]['folder']);
- if(! $x) {
- $ret['message'] = t('Permission denied.');
- return $ret;
- }
- }
-
$ret['success'] = true;
$ret['data'] = $r[0];
@@ -302,6 +292,29 @@ function attach_by_hash($hash, $observer_hash, $rev = 0) {
}
+function attach_can_view($uid,$ob_hash,$resource) {
+
+ $sql_extra = permissions_sql($uid,$ob_hash);
+ $hash = $resource;
+
+ if(! perm_is_allowed($uid,$ob_hash,'view_storage')) {
+ return false;
+ }
+
+ $r = q("select folder from attach where hash = '%s' and uid = %d $sql_extra",
+ dbesc($hash),
+ intval($uid)
+ );
+ if(! $r) {
+ return false;
+ }
+
+ return attach_can_view_folder($uid,$ob_hash,$r[0]['folder']);
+
+}
+
+
+
function attach_can_view_folder($uid,$ob_hash,$folder_hash) {
$sql_extra = permissions_sql($uid,$ob_hash);