aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2012-12-16 03:38:04 -0800
committerfriendica <info@friendica.com>2012-12-16 03:38:04 -0800
commit5d008a6923b631acf3bad7d82be680cc668475b6 (patch)
tree1794b4b91ea47b84fe1f4ef9a40ad0559b506f81
parent00128955eb4d4a36e1afaf61cff93c8a811564d4 (diff)
downloadvolse-hubzilla-5d008a6923b631acf3bad7d82be680cc668475b6.tar.gz
volse-hubzilla-5d008a6923b631acf3bad7d82be680cc668475b6.tar.bz2
volse-hubzilla-5d008a6923b631acf3bad7d82be680cc668475b6.zip
fixing permissions_sql - may need more tweaks
-rw-r--r--include/security.php131
-rw-r--r--mod/channel.php2
2 files changed, 47 insertions, 86 deletions
diff --git a/include/security.php b/include/security.php
index c47ab1524..ddfb8201d 100644
--- a/include/security.php
+++ b/include/security.php
@@ -182,7 +182,8 @@ function permissions_sql($owner_id,$remote_verified = false,$groups = null) {
$sql = " AND allow_cid = ''
AND allow_gid = ''
AND deny_cid = ''
- AND deny_gid = ''
+ AND deny_gid = ''
+
";
/**
@@ -201,54 +202,31 @@ function permissions_sql($owner_id,$remote_verified = false,$groups = null) {
* done this and passed the groups into this function.
*/
- elseif($remote_user) {
- if(! $remote_verified) {
- $r = q("SELECT id FROM contact WHERE id = %d AND uid = %d AND blocked = 0 LIMIT 1",
- intval($remote_user),
- intval($owner_id)
- );
- if(count($r)) {
- $remote_verified = true;
- $groups = init_groups_visitor($remote_user);
- }
- }
- if($remote_verified) {
-
- $gs = '<<>>'; // should be impossible to match
-
- if(is_array($groups) && count($groups)) {
- foreach($groups as $g)
- $gs .= '|<' . intval($g) . '>';
- }
-
- /*$sql = sprintf(
- " AND ( allow_cid = '' OR allow_cid REGEXP '<%d>' )
- AND ( deny_cid = '' OR NOT deny_cid REGEXP '<%d>' )
- AND ( allow_gid = '' OR allow_gid REGEXP '%s' )
- AND ( deny_gid = '' OR NOT deny_gid REGEXP '%s')
- ",
- intval($remote_user),
- intval($remote_user),
- dbesc($gs),
- dbesc($gs)
- );*/
- $sql = sprintf(
- " AND ( NOT (deny_cid REGEXP '<%d>' OR deny_gid REGEXP '%s')
- AND ( allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
- )
- ",
- intval($remote_user),
- dbesc($gs),
- intval($remote_user),
- dbesc($gs)
- );
- }
+ else {
+ $observer = get_app()->get_observer();
+ $groups = init_groups_visitor($remote_user);
+
+ $gs = '<<>>'; // should be impossible to match
+
+ if(is_array($groups) && count($groups)) {
+ foreach($groups as $g)
+ $gs .= '|<' . $g . '>';
+ }
+ $sql = sprintf(
+ " AND ( NOT (deny_cid like '<%s>' OR deny_gid REGEXP '%s')
+ AND ( allow_cid like '<%s>' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
+ )
+ ",
+ dbesc(protect_sprintf( '%' . $remote_user . '%')),
+ dbesc($gs),
+ dbesc(protect_sprintf( '%' . $remote_user . '%')),
+ dbesc($gs)
+ );
}
return $sql;
}
-
function item_permissions_sql($owner_id,$remote_verified = false,$groups = null) {
$local_user = local_user();
@@ -260,12 +238,8 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null)
* default permissions - anonymous user
*/
- $sql = " AND allow_cid = ''
- AND allow_gid = ''
- AND deny_cid = ''
- AND deny_gid = ''
- AND private = 0
- ";
+ $sql = " AND not (item_flags & " . ITEM_PRIVATE . ") ";
+
/**
* Profile owner - everything is visible
@@ -283,45 +257,33 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null)
* done this and passed the groups into this function.
*/
- elseif($remote_user) {
- if(! $remote_verified) {
- $r = q("SELECT id FROM contact WHERE id = %d AND uid = %d AND blocked = 0 LIMIT 1",
- intval($remote_user),
- intval($owner_id)
- );
- if(count($r)) {
- $remote_verified = true;
- $groups = init_groups_visitor($remote_user);
- }
- }
- if($remote_verified) {
-
- $gs = '<<>>'; // should be impossible to match
-
- if(is_array($groups) && count($groups)) {
- foreach($groups as $g)
- $gs .= '|<' . intval($g) . '>';
- }
-
- $sql = sprintf(
- " AND ( private = 0 OR ( private = 1 AND wall = 1 AND ( allow_cid = '' OR allow_cid REGEXP '<%d>' )
- AND ( deny_cid = '' OR NOT deny_cid REGEXP '<%d>' )
- AND ( allow_gid = '' OR allow_gid REGEXP '%s' )
- AND ( deny_gid = '' OR NOT deny_gid REGEXP '%s')))
- ",
- intval($remote_user),
- intval($remote_user),
- dbesc($gs),
- dbesc($gs)
- );
- }
+ else {
+ $observer = get_app()->get_observer();
+ $groups = init_groups_visitor($remote_user);
+
+ $gs = '<<>>'; // should be impossible to match
+
+ if(is_array($groups) && count($groups)) {
+ foreach($groups as $g)
+ $gs .= '|<' . $g . '>';
+ }
+ $sql = sprintf(
+ " AND ( NOT (deny_cid like '<%s>' OR deny_gid REGEXP '%s')
+ AND ( allow_cid like '<%s>' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
+ )
+ ",
+ dbesc(protect_sprintf( '%' . $remote_user . '%')),
+ dbesc($gs),
+ dbesc(protect_sprintf( '%' . $remote_user . '%')),
+ dbesc($gs)
+ );
}
-
return $sql;
}
+
/*
* Functions used to protect against Cross-Site Request Forgery
* The security token has to base on at least one value that an attacker can't know - here it's the session ID and the private key.
@@ -388,8 +350,7 @@ function check_form_security_token_ForbiddenOnErr($typename = '', $formname = 'f
if(! function_exists('init_groups_visitor')) {
function init_groups_visitor($contact_id) {
$groups = array();
- $r = q("SELECT `gid` FROM `group_member`
- WHERE `contact-id` = %d ",
+ $r = q("SELECT gid FROM group_member WHERE xchan = '%s' ",
intval($contact_id)
);
if(count($r)) {
diff --git a/mod/channel.php b/mod/channel.php
index 62fcf1be7..7fecad427 100644
--- a/mod/channel.php
+++ b/mod/channel.php
@@ -127,7 +127,7 @@ function channel_content(&$a, $update = 0, $load = false) {
* Get permissions SQL - if $remote_contact is true, our remote user has been pre-verified and we already have fetched his/her groups
*/
-// fixme
+
$sql_extra = item_permissions_sql($a->profile['profile_uid'],$remote_contact,$groups);