aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authormarijus <mario@mariovavti.com>2015-02-18 10:41:38 +0100
committermarijus <mario@mariovavti.com>2015-02-18 10:41:38 +0100
commit2fbb6a5ff5c2b097e42e41ff73587127998ae86e (patch)
tree27fd3b48d6243e9c1a404e5aa070e79a2efd5c4e
parente00be4de2353e1ca58570bf37fd247ff99fa549f (diff)
downloadvolse-hubzilla-2fbb6a5ff5c2b097e42e41ff73587127998ae86e.tar.gz
volse-hubzilla-2fbb6a5ff5c2b097e42e41ff73587127998ae86e.tar.bz2
volse-hubzilla-2fbb6a5ff5c2b097e42e41ff73587127998ae86e.zip
do not send activity to channels with no permission to view filestorage
-rw-r--r--include/attach.php23
1 files changed, 21 insertions, 2 deletions
diff --git a/include/attach.php b/include/attach.php
index f973102e8..43b56e4f6 100644
--- a/include/attach.php
+++ b/include/attach.php
@@ -974,6 +974,11 @@ function file_activity($channel_id, $object, $allow_cid, $allow_gid, $deny_cid,
if(!$object)
return;
+ //filter out receivers which do not have permission to view filestorage
+ $arr_allow_cid = expand_acl($allow_cid);
+ $arr_allow_cid = check_list_permissions($channel_id, $arr_allow_cid, 'view_storage');
+ $allow_cid = perms2str($arr_allow_cid);
+
$is_dir = (($object['flags'] & ATTACH_FLAG_DIR) ? true : false);
//do not send activity for folders for now
@@ -987,6 +992,9 @@ function file_activity($channel_id, $object, $allow_cid, $allow_gid, $deny_cid,
$r_perms = recursive_activity_recipients($allow_cid, $allow_gid, $deny_cid, $deny_gid, $folder_hash);
+ //filter out receivers which do not have permission to view filestorage
+ $r_perms['allow_cid'] = check_list_permissions($channel_id, $r_perms['allow_cid'], 'view_storage');
+
$allow_cid = perms2str($r_perms['allow_cid']);
$allow_gid = perms2str($r_perms['allow_gid']);
$deny_cid = perms2str($r_perms['deny_cid']);
@@ -999,7 +1007,6 @@ function file_activity($channel_id, $object, $allow_cid, $allow_gid, $deny_cid,
$objtype = ACTIVITY_OBJ_FILE;
$item_flags = ITEM_WALL|ITEM_ORIGIN;
-;
$private = (($allow_cid || $allow_gid || $deny_cid || $deny_gid) ? 1 : 0);
@@ -1157,6 +1164,13 @@ function recursive_activity_recipients($allow_cid, $allow_gid, $deny_cid, $deny_
$arr_allow_cid = expand_acl($allow_cid);
$arr_allow_gid = expand_acl($allow_gid);
+
+ //turn allow_gid into allow_cid's
+ foreach($arr_allow_gid as $gid) {
+ $in_group = in_group($gid);
+ $arr_allow_cid = array_unique(array_merge($arr_allow_cid, $in_group));
+ }
+
$arr_deny_cid = expand_acl($deny_cid);
$arr_deny_gid = expand_acl($deny_gid);
@@ -1261,10 +1275,15 @@ function recursive_activity_recipients($allow_cid, $allow_gid, $deny_cid, $deny_
}
function in_group($group_id) {
- $r = q("SELECT xchan FROM group_member left join groups on group_member.gid = group.id WHERE hash = '%s' ",
+ //TODO: make these two queries one with a join.
+ $x = q("SELECT id FROM groups WHERE hash = '%s'",
dbesc($group_id)
);
+ $r = q("SELECT xchan FROM group_member WHERE gid = %d",
+ intval($x[0]['id'])
+ );
+
foreach($r as $ig) {
$group_members[] = $ig['xchan'];
}