aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2012-03-09 00:31:17 -0800
committerfriendica <info@friendica.com>2012-03-09 00:31:17 -0800
commit312c17504515b0f6c77b2e59ef8569dbf8d048fa (patch)
tree4698b1b827d7859d1c418485fe530803064783d1
parent2050f886cc020c50684df14830bc98e40200309c (diff)
downloadvolse-hubzilla-312c17504515b0f6c77b2e59ef8569dbf8d048fa.tar.gz
volse-hubzilla-312c17504515b0f6c77b2e59ef8569dbf8d048fa.tar.bz2
volse-hubzilla-312c17504515b0f6c77b2e59ef8569dbf8d048fa.zip
bug in check for private email comment to public conversation prevents authenticated visitor from seeing comments that should be allowed
-rwxr-xr-xinclude/conversation.php31
-rwxr-xr-xinclude/security.php1
2 files changed, 9 insertions, 23 deletions
diff --git a/include/conversation.php b/include/conversation.php
index f1134975a..526c6ea00 100755
--- a/include/conversation.php
+++ b/include/conversation.php
@@ -179,9 +179,11 @@ function localize_item(&$item){
* that are based on unique features of the calling module.
*
*/
- if(!function_exists('conversation')){
+
+if(!function_exists('conversation')) {
function conversation(&$a, $items, $mode, $update, $preview = false) {
+
require_once('bbcode.php');
$profile_owner = 0;
@@ -418,26 +420,6 @@ function conversation(&$a, $items, $mode, $update, $preview = false) {
$toplevelprivate = (($toplevelpost && $item['private']) ? true : false);
$item_writeable = (($item['writable'] || $item['self']) ? true : false);
- // DISABLED
- /*
- if($blowhard == $item['cid'] && (! $item['self']) && ($mode != 'profile') && ($mode != 'notes')) {
- $blowhard_count ++;
- if($blowhard_count == 3) {
- $o .= '<div class="icollapse-wrapper fakelink" id="icollapse-wrapper-' . $item['parent']
- . '" onclick="openClose(' . '\'icollapse-' . $item['parent'] . '\'); $(\'#icollapse-wrapper-' . $item['parent'] . '\').hide();" >'
- . t('See more posts like this') . '</div>' . '<div class="icollapse" id="icollapse-'
- . $item['parent'] . '" style="display: none;" >';
- }
- }
- else {
- $blowhard = $item['cid'];
- if($blowhard_count >= 3)
- $o .= '</div>';
- $blowhard_count = 0;
- }
- // END DISABLED
- */
-
$comments_seen = 0;
$comments_collapsed = false;
$comment_lastcollapsed = false;
@@ -445,13 +427,16 @@ function conversation(&$a, $items, $mode, $update, $preview = false) {
$threadsid++;
$threads[$threadsid]['id'] = $item['item_id'];
+ $threads[$threadsid]['private'] = $item['private'];
$threads[$threadsid]['items'] = array();
}
else {
- // prevent private email from leaking into public conversation
- if((! $toplevelpost) && (! $toplevelprivate) && ($item['private']) && ($profile_owner != local_user()))
+
+ // prevent private email reply to public conversation from leaking.
+ if($item['private'] && ! $threads[$threadsid]['private'])
continue;
+
$comments_seen ++;
$comment_lastcollapsed = false;
$comment_firstcollapsed = false;
diff --git a/include/security.php b/include/security.php
index f469dad66..8c536b656 100755
--- a/include/security.php
+++ b/include/security.php
@@ -283,6 +283,7 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null)
);
}
}
+
return $sql;
}