aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2014-07-26 18:48:25 -0700
committerfriendica <info@friendica.com>2014-07-26 18:48:25 -0700
commit3d7d6ec21f1b348221ad6f25d9865213339a6b47 (patch)
treedec787be84f3811aa49873e9036afd988fbbbdb8
parent4f90070e5e8f5dc92bddc5a07754900b5049a178 (diff)
downloadvolse-hubzilla-3d7d6ec21f1b348221ad6f25d9865213339a6b47.tar.gz
volse-hubzilla-3d7d6ec21f1b348221ad6f25d9865213339a6b47.tar.bz2
volse-hubzilla-3d7d6ec21f1b348221ad6f25d9865213339a6b47.zip
honour sys channel permissions for who can view the sys owned content
-rw-r--r--mod/display.php13
-rw-r--r--mod/search.php8
-rw-r--r--version.inc2
3 files changed, 19 insertions, 4 deletions
diff --git a/mod/display.php b/mod/display.php
index 31cce95d3..c389eb976 100644
--- a/mod/display.php
+++ b/mod/display.php
@@ -139,7 +139,9 @@ function display_content(&$a, $update = 0, $load = false) {
}
- $sql_extra = public_permissions_sql(get_observer_hash());
+ $observer_hash = get_observer_hash();
+
+ $sql_extra = public_permissions_sql($observer_hash);
if(($update && $load) || ($_COOKIE['jsAvailable'] != 1)) {
@@ -170,12 +172,19 @@ function display_content(&$a, $update = 0, $load = false) {
}
if($r === null) {
+ // in case somebody turned off public access to sys channel content using permissions
+ // make that content unsearchable by ensuring the owner_xchan can't match
+
+ if(! perm_is_allowed($sys['channel_id'],$observer_hash,'view_stream'))
+ $sys['xchan_hash'] .= 'disabled';
+
+
$r = q("SELECT * from item
WHERE item_restrict = 0
and mid = '%s'
AND (((( `item`.`allow_cid` = '' AND `item`.`allow_gid` = '' AND `item`.`deny_cid` = ''
AND `item`.`deny_gid` = '' AND item_private = 0 )
- and owner_xchan in ( " . stream_perms_xchans(($observer) ? (PERMS_NETWORK|PERMS_PUBLIC) : PERMS_PUBLIC) . " ))
+ and owner_xchan in ( " . stream_perms_xchans(($observer_hash) ? (PERMS_NETWORK|PERMS_PUBLIC) : PERMS_PUBLIC) . " ))
OR owner_xchan = '%s')
$sql_extra )
group by mid limit 1",
diff --git a/mod/search.php b/mod/search.php
index 663d355e2..15ac71376 100644
--- a/mod/search.php
+++ b/mod/search.php
@@ -23,6 +23,7 @@ function search_content(&$a,$update = 0, $load = false) {
$observer = $a->get_observer();
+ $observer_hash = (($observer) ? $observer['xchan_hash'] : '');
$o = '<div id="live-search"></div>' . "\r\n";
@@ -113,7 +114,7 @@ function search_content(&$a,$update = 0, $load = false) {
}
- $pub_sql = public_permissions_sql(get_observer_hash());
+ $pub_sql = public_permissions_sql($observer_hash);
require_once('include/identity.php');
@@ -124,6 +125,11 @@ function search_content(&$a,$update = 0, $load = false) {
$a->set_pager_itemspage(((intval($itemspage)) ? $itemspage : 20));
$pager_sql = sprintf(" LIMIT %d, %d ",intval($a->pager['start']), intval($a->pager['itemspage']));
+ // in case somebody turned off public access to sys channel content with permissions
+
+ if(! perm_is_allowed($sys['channel_id'],$observer_hash,'view_stream'))
+ $sys['xchan_hash'] .= 'disabled';
+
if($load) {
$r = null;
diff --git a/version.inc b/version.inc
index 17beec5df..ac8053138 100644
--- a/version.inc
+++ b/version.inc
@@ -1 +1 @@
-2014-07-25.747
+2014-07-26.748