diff options
author | redmatrix <redmatrix@redmatrix.me> | 2015-09-28 19:45:57 -0700 |
---|---|---|
committer | redmatrix <redmatrix@redmatrix.me> | 2015-09-28 19:45:57 -0700 |
commit | f965209eee06b3affbd3165e6c165e02f76bcabd (patch) | |
tree | 8c170543e9e7ee3a0ac9da0cef540b9a8502296c | |
parent | 5c526995d8534465602775dfddebd8d77855d2e2 (diff) | |
download | volse-hubzilla-f965209eee06b3affbd3165e6c165e02f76bcabd.tar.gz volse-hubzilla-f965209eee06b3affbd3165e6c165e02f76bcabd.tar.bz2 volse-hubzilla-f965209eee06b3affbd3165e6c165e02f76bcabd.zip |
check public scopes against visitor in item_permissions_sql()
-rw-r--r-- | include/security.php | 40 | ||||
-rw-r--r-- | mod/channel.php | 1 |
2 files changed, 38 insertions, 3 deletions
diff --git a/include/security.php b/include/security.php index 380505a79..03e03ad40 100644 --- a/include/security.php +++ b/include/security.php @@ -245,6 +245,9 @@ function item_permissions_sql($owner_id, $remote_observer = null) { $observer = (($remote_observer) ? $remote_observer : get_observer_hash()); if($observer) { + + $s = scopes_sql($owner_id,$observer); + $groups = init_groups_visitor($observer); $gs = '<<>>'; // should be impossible to match @@ -256,8 +259,8 @@ function item_permissions_sql($owner_id, $remote_observer = null) { $regexop = db_getfunc('REGEXP'); $sql = sprintf( " AND ( NOT (deny_cid like '%s' OR deny_gid $regexop '%s') - AND ( allow_cid like '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '' AND item_private = 0 ) ) - ) + AND ( allow_cid like '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '' AND item_private = 0 )) + ) OR ( item_private = 1 $s ) ", dbesc(protect_sprintf( '%<' . $observer . '>%')), dbesc($gs), @@ -271,6 +274,39 @@ function item_permissions_sql($owner_id, $remote_observer = null) { } /** + * Remote visitors also need to be checked against the public_scope parameter if item_private is set. + * This function checks the various permutations of that field for any which apply to this observer. + * + */ + + + +function scopes_sql($uid,$observer) { + $str = " and ( public_policy = 'authenticated' "; + if(! is_foreigner($observer)) + $str .= " or public_policy = 'network: red' "; + if(local_channel()) + $str .= " or public_policy = 'site: " . get_app()->get_hostname() . "' "; + + $ab = q("select * from abook where abook_xchan = '%s' and abook_channel = %d limit 1", + dbesc($observer), + intval($uid) + ); + if(! $ab) + return $str . " ) "; + if($ab[0]['abook_pending']) + $str .= " or public_policy = 'any connections' "; + $str .= " or public_policy = 'contacts' ) "; + return $str; +} + + + + + + + +/** * @param string $observer_hash * * @return string additional SQL where statement diff --git a/mod/channel.php b/mod/channel.php index d1064e939..f582eaf75 100644 --- a/mod/channel.php +++ b/mod/channel.php @@ -153,7 +153,6 @@ function channel_content(&$a, $update = 0, $load = false) { else $page_mode = 'client'; - $abook_uids = " and abook.abook_channel = " . intval($a->profile['profile_uid']) . " "; $simple_update = (($update) ? " AND item_unseen = 1 " : ''); |