Merge branch 'master', remote-tracking branch 'remotes/upstream/master'

* remotes/upstream/master:
  Existing photos could not be used as profile photos anymore - should be fixed now. And some extra logging in the CSRF-Protection to make debugging easier
  community discovery cont., cleanup of DB debugging

* master:

10 files changed, 66 insertions, 30 deletions

diff --git a/include/dba.php b/include/dba.php
index 7455b6b3e..5beea7a3a 100755
--- a/include/dba.php
+++ b/include/dba.php
@@ -1,5 +1,7 @@
 <?php
 
+require_once('include/datetime.php');
+
 /**
  *
  * MySQL database class
@@ -104,19 +106,17 @@ class dba {
 
 			logger('dba: ' . $str );
 		}
-		else {
 
-			/**
-			 * If dbfail.out exists, we will write any failed calls directly to it,
-			 * regardless of any logging that may or may nor be in effect.
-			 * These usually indicate SQL syntax errors that need to be resolved.
-			 */
+		/**
+		 * If dbfail.out exists, we will write any failed calls directly to it,
+		 * regardless of any logging that may or may nor be in effect.
+		 * These usually indicate SQL syntax errors that need to be resolved.
+		 */
 
-			if($result === false) {
-				logger('dba: ' . printable($sql) . ' returned false.');
-				if(file_exists('dbfail.out'))
-					file_put_contents('dbfail.out', printable($sql) . ' returned false' . "\n", FILE_APPEND);
-			}
+		if($result === false) {
+			logger('dba: ' . printable($sql) . ' returned false.');
+			if(file_exists('dbfail.out'))
+				file_put_contents('dbfail.out', datetime_convert() . "\n" . printable($sql) . ' returned false' . "\n", FILE_APPEND);
 		}
 
 		if(($result === true) || ($result === false))
@@ -140,7 +140,7 @@ class dba {
 
     
 		if($this->debug)
-			logger('dba: ' . printable(print_r($r, true)), LOGGER_DATA);
+			logger('dba: ' . printable(print_r($r, true)));
 		return($r);
 	}
 
diff --git a/include/delivery.php b/include/delivery.php
index 44a482ca2..532dcd699 100755
--- a/include/delivery.php
+++ b/include/delivery.php
@@ -256,7 +256,8 @@ function delivery_run($argv, $argc){
 					'$picdate'      => xmlify(datetime_convert('UTC','UTC',$owner['avatar-date'] . '+00:00' , ATOM_TIME)) ,
 					'$uridate'      => xmlify(datetime_convert('UTC','UTC',$owner['uri-date']    . '+00:00' , ATOM_TIME)) ,
 					'$namdate'      => xmlify(datetime_convert('UTC','UTC',$owner['name-date']   . '+00:00' , ATOM_TIME)) ,
-					'$birthday'     => $birthday
+					'$birthday'     => $birthday,
+					'$community'    => (($owner['page-flags'] == PAGE_COMMUNITY) ? '<dfrn:community>1</dfrn:community>' : '')
 			));
 
 			foreach($items as $item) {
diff --git a/include/items.php b/include/items.php
index 5e1fec557..5a297c83e 100755
--- a/include/items.php
+++ b/include/items.php
@@ -28,7 +28,7 @@ function get_feed_for(&$a, $dfrn_id, $owner_nick, $last_update, $direction = 0)
 
 	$sql_extra = " AND `allow_cid` = '' AND `allow_gid` = '' AND `deny_cid`  = '' AND `deny_gid`  = '' ";
 
-	$r = q("SELECT `contact`.*, `user`.`uid` AS `user_uid`, `user`.`nickname`, `user`.`timezone`
+	$r = q("SELECT `contact`.*, `user`.`uid` AS `user_uid`, `user`.`nickname`, `user`.`timezone`, `user`.`page-flags`
 		FROM `contact` LEFT JOIN `user` ON `user`.`uid` = `contact`.`uid`
 		WHERE `contact`.`self` = 1 AND `user`.`nickname` = '%s' LIMIT 1",
 		dbesc($owner_nick)
@@ -156,7 +156,8 @@ function get_feed_for(&$a, $dfrn_id, $owner_nick, $last_update, $direction = 0)
 		'$picdate'      => xmlify(datetime_convert('UTC','UTC',$owner['avatar-date'] . '+00:00' , ATOM_TIME)) ,
 		'$uridate'      => xmlify(datetime_convert('UTC','UTC',$owner['uri-date']    . '+00:00' , ATOM_TIME)) ,
 		'$namdate'      => xmlify(datetime_convert('UTC','UTC',$owner['name-date']   . '+00:00' , ATOM_TIME)) , 
-		'$birthday'     => ((strlen($birthday)) ? '<dfrn:birthday>' . xmlify($birthday) . '</dfrn:birthday>' : '')
+		'$birthday'     => ((strlen($birthday)) ? '<dfrn:birthday>' . xmlify($birthday) . '</dfrn:birthday>' : ''),
+		'$community'    => (($owner['page-flags'] == PAGE_COMMUNITY) ? '<dfrn:community>1</dfrn:community>' : '')
 	));
 
 	call_hooks('atom_feed', $atom);
@@ -1404,6 +1405,19 @@ function consume_feed($xml,$importer,&$contact, &$hub, $datedir = 0, $pass = 0)
 
 	}
 
+	$community_page = 0;
+	$rawtags = $feed->get_feed_tags( NAMESPACE_DFRN, 'community');
+	if($rawtags) {
+		$community_page = intval($rawtags[0]['data']);
+	}
+	if(is_array($contact) && intval($contact['forum']) != $community_page) {
+		q("update contact set forum = %d where id = %d limit 1",
+			intval($community_page),
+			intval($contact['id'])
+		);
+		$contact['forum'] = (string) $community_page;
+	}
+
 
 	// process any deleted entries
 
@@ -1987,6 +2001,19 @@ function local_delivery($importer,$data) {
 
 		// NOTREACHED
 	}	
+
+	$community_page = 0;
+	$rawtags = $feed->get_feed_tags( NAMESPACE_DFRN, 'community');
+	if($rawtags) {
+		$community_page = intval($rawtags[0]['data']);
+	}
+	if(intval($importer['forum']) != $community_page) {
+		q("update contact set forum = %d where id = %d limit 1",
+			intval($community_page),
+			intval($importer['id'])
+		);
+		$importer['forum'] = (string) $community_page;
+	}
 	
 	logger('local_delivery: feed item count = ' . $feed->get_item_quantity());
 
diff --git a/include/notifier.php b/include/notifier.php
index 07edc7046..d63ad7ae7 100755
--- a/include/notifier.php
+++ b/include/notifier.php
@@ -337,7 +337,9 @@ function notifier_run($argv, $argc){
 			'$picdate'      => xmlify(datetime_convert('UTC','UTC',$owner['avatar-date'] . '+00:00' , ATOM_TIME)) ,
 			'$uridate'      => xmlify(datetime_convert('UTC','UTC',$owner['uri-date']    . '+00:00' , ATOM_TIME)) ,
 			'$namdate'      => xmlify(datetime_convert('UTC','UTC',$owner['name-date']   . '+00:00' , ATOM_TIME)) ,
-			'$birthday'     => $birthday
+			'$birthday'     => $birthday,
+			'$community'    => (($owner['page-flags'] == PAGE_COMMUNITY) ? '<dfrn:community>1</dfrn:community>' : '')
+
 	));
 
 	if($mail) {
diff --git a/include/poller.php b/include/poller.php
index 3bc98e36f..8262c1d60 100755
--- a/include/poller.php
+++ b/include/poller.php
@@ -232,7 +232,7 @@ function poller_run($argv, $argc){
 
 			$importer_uid = $contact['uid'];
 		
-			$r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `self` = 1 LIMIT 1",
+			$r = q("SELECT `contact`.*, `user`.`page-flags` FROM `contact` LEFT JOIN `user` on `contact`.`uid` = `user`.`uid` WHERE `user`.`uid` = %d AND `contact`.`self` = 1 LIMIT 1",
 				intval($importer_uid)
 			);
 			if(! count($r))
diff --git a/include/security.php b/include/security.php
index 45473445a..19e91eb63 100755
--- a/include/security.php
+++ b/include/security.php
@@ -299,16 +299,16 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null)
  *    Actually, important actions should not be triggered by Links / GET-Requests at all, but somethimes they still are,
  *    so this mechanism brings in some damage control (the attacker would be able to forge a request to a form of this type, but not to forms of other types).
  */ 
-function get_form_security_token($typename = "") {
+function get_form_security_token($typename = '') {
 	$a = get_app();
 	
 	$timestamp = time();
-	$sec_hash = hash('whirlpool', $a->user["guid"] . $a->user["prvkey"] . session_id() . $timestamp . $typename);
+	$sec_hash = hash('whirlpool', $a->user['guid'] . $a->user['prvkey'] . session_id() . $timestamp . $typename);
 	
-	return $timestamp . "." . $sec_hash;
+	return $timestamp . '.' . $sec_hash;
 }
 
-function check_form_security_token($typename = "", $formname = 'form_security_token') {
+function check_form_security_token($typename = '', $formname = 'form_security_token') {
 	if (!x($_REQUEST, $formname)) return false;
 	$hash = $_REQUEST[$formname];
 	
@@ -316,10 +316,10 @@ function check_form_security_token($typename = "", $formname = 'form_security_to
 	
 	$a = get_app();
 	
-	$x = explode(".", $hash);
+	$x = explode('.', $hash);
 	if (time() > (IntVal($x[0]) + $max_livetime)) return false;
 	
-	$sec_hash = hash('whirlpool', $a->user["guid"] . $a->user["prvkey"] . session_id() . $x[0] . $typename);
+	$sec_hash = hash('whirlpool', $a->user['guid'] . $a->user['prvkey'] . session_id() . $x[0] . $typename);
 	
 	return ($sec_hash == $x[1]);
 }
@@ -327,15 +327,19 @@ function check_form_security_token($typename = "", $formname = 'form_security_to
 function check_form_security_std_err_msg() {
 	return t('The form security token was not correct. This probably happened because the form has been opened for too long (>3 hours) before subitting it.') . EOL;
 }
-function check_form_security_token_redirectOnErr($err_redirect, $typename = "", $formname = 'form_security_token') {
+function check_form_security_token_redirectOnErr($err_redirect, $typename = '', $formname = 'form_security_token') {
 	if (!check_form_security_token($typename, $formname)) {
 		$a = get_app();
+		logger('check_form_security_token failed: user ' . $a->user['guid'] . ' - form element ' . $typename);
+		logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA);
 		notice( check_form_security_std_err_msg() );
 		goaway($a->get_baseurl() . $err_redirect );
 	}
 }
-function check_form_security_token_ForbiddenOnErr($typename = "", $formname = 'form_security_token') {
+function check_form_security_token_ForbiddenOnErr($typename = '', $formname = 'form_security_token') {
 	if (!check_form_security_token($typename, $formname)) {
+		logger('check_form_security_token failed: user ' . $a->user['guid'] . ' - form element ' . $typename);
+		logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA);
 		header('HTTP/1.1 403 Forbidden');
 		killme();
 	}
diff --git a/mod/dfrn_poll.php b/mod/dfrn_poll.php
index b12e07132..fe5cd4906 100755
--- a/mod/dfrn_poll.php
+++ b/mod/dfrn_poll.php
@@ -199,7 +199,7 @@ function dfrn_poll_post(&$a) {
 	$ptype        = ((x($_POST,'type'))         ? $_POST['type']                 : '');
 	$dfrn_version = ((x($_POST,'dfrn_version')) ? (float) $_POST['dfrn_version'] : 2.0);
 	$perm         = ((x($_POST,'perm'))         ? $_POST['perm']                 : 'r');
-
+          
 	if($ptype === 'profile-check') {
 
 		if((strlen($challenge)) && (strlen($sec))) {
@@ -358,8 +358,8 @@ function dfrn_poll_post(&$a) {
 					intval($contact_id)
 				);
 			}
-		}				
-
+		}
+				
 		header("Content-type: application/atom+xml");
 		$o = get_feed_for($a,$dfrn_id, $a->argv[1], $last_update, $direction);
 		echo $o;
diff --git a/mod/photos.php b/mod/photos.php
index e40ae0d74..4406780d3 100755
--- a/mod/photos.php
+++ b/mod/photos.php
@@ -1069,7 +1069,7 @@ function photos_content(&$a) {
 		if($can_post && ($ph[0]['uid'] == $owner_uid)) {
 			$tools = array(
 				'edit'	=> array($a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/image/' . $datum . (($cmd === 'edit') ? '' : '/edit'), (($cmd === 'edit') ? t('View photo') : t('Edit photo'))),
-				'profile'=>array($a->get_baseurl() . '/profile_photo/use/'.$ph[0]['resource-id'], t('Use as profile photo')),
+				'profile'=>array($a->get_baseurl() . '/profile_photo/use/'.$ph[0]['resource-id'] . '?form_security_token=' . get_form_security_token('profile_photo'), t('Use as profile photo')),
 			);
 
 			// lock
diff --git a/view/atom_feed.tpl b/view/atom_feed.tpl
index 72cf8e4fd..2feb547ee 100755
--- a/view/atom_feed.tpl
+++ b/view/atom_feed.tpl
@@ -16,6 +16,7 @@
   <link rel="license" href="http://creativecommons.org/licenses/by/3.0/" />
   $hub
   $salmon
+  $community
 
   <updated>$feed_updated</updated>
 
diff --git a/view/atom_feed_dfrn.tpl b/view/atom_feed_dfrn.tpl
index 3d6bcc5b5..0bae62b52 100755
--- a/view/atom_feed_dfrn.tpl
+++ b/view/atom_feed_dfrn.tpl
@@ -12,10 +12,11 @@
 
   <id>$feed_id</id>
   <title>$feed_title</title>
-  <generator uri="http://friendika.com" version="$version">Friendika</generator>
+  <generator uri="http://friendica.com" version="$version">Friendica</generator>
   <link rel="license" href="http://creativecommons.org/licenses/by/3.0/" />
   $hub
   $salmon
+  $community
 
   <updated>$feed_updated</updated>