aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorredmatrix <redmatrix@redmatrix.me>2015-09-28 19:45:57 -0700
committerredmatrix <redmatrix@redmatrix.me>2015-09-28 19:45:57 -0700
commitf965209eee06b3affbd3165e6c165e02f76bcabd (patch)
tree8c170543e9e7ee3a0ac9da0cef540b9a8502296c
parent5c526995d8534465602775dfddebd8d77855d2e2 (diff)
downloadvolse-hubzilla-f965209eee06b3affbd3165e6c165e02f76bcabd.tar.gz
volse-hubzilla-f965209eee06b3affbd3165e6c165e02f76bcabd.tar.bz2
volse-hubzilla-f965209eee06b3affbd3165e6c165e02f76bcabd.zip
check public scopes against visitor in item_permissions_sql()
-rw-r--r--include/security.php40
-rw-r--r--mod/channel.php1
2 files changed, 38 insertions, 3 deletions
diff --git a/include/security.php b/include/security.php
index 380505a79..03e03ad40 100644
--- a/include/security.php
+++ b/include/security.php
@@ -245,6 +245,9 @@ function item_permissions_sql($owner_id, $remote_observer = null) {
$observer = (($remote_observer) ? $remote_observer : get_observer_hash());
if($observer) {
+
+ $s = scopes_sql($owner_id,$observer);
+
$groups = init_groups_visitor($observer);
$gs = '<<>>'; // should be impossible to match
@@ -256,8 +259,8 @@ function item_permissions_sql($owner_id, $remote_observer = null) {
$regexop = db_getfunc('REGEXP');
$sql = sprintf(
" AND ( NOT (deny_cid like '%s' OR deny_gid $regexop '%s')
- AND ( allow_cid like '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '' AND item_private = 0 ) )
- )
+ AND ( allow_cid like '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '' AND item_private = 0 ))
+ ) OR ( item_private = 1 $s )
",
dbesc(protect_sprintf( '%<' . $observer . '>%')),
dbesc($gs),
@@ -271,6 +274,39 @@ function item_permissions_sql($owner_id, $remote_observer = null) {
}
/**
+ * Remote visitors also need to be checked against the public_scope parameter if item_private is set.
+ * This function checks the various permutations of that field for any which apply to this observer.
+ *
+ */
+
+
+
+function scopes_sql($uid,$observer) {
+ $str = " and ( public_policy = 'authenticated' ";
+ if(! is_foreigner($observer))
+ $str .= " or public_policy = 'network: red' ";
+ if(local_channel())
+ $str .= " or public_policy = 'site: " . get_app()->get_hostname() . "' ";
+
+ $ab = q("select * from abook where abook_xchan = '%s' and abook_channel = %d limit 1",
+ dbesc($observer),
+ intval($uid)
+ );
+ if(! $ab)
+ return $str . " ) ";
+ if($ab[0]['abook_pending'])
+ $str .= " or public_policy = 'any connections' ";
+ $str .= " or public_policy = 'contacts' ) ";
+ return $str;
+}
+
+
+
+
+
+
+
+/**
* @param string $observer_hash
*
* @return string additional SQL where statement
diff --git a/mod/channel.php b/mod/channel.php
index d1064e939..f582eaf75 100644
--- a/mod/channel.php
+++ b/mod/channel.php
@@ -153,7 +153,6 @@ function channel_content(&$a, $update = 0, $load = false) {
else
$page_mode = 'client';
-
$abook_uids = " and abook.abook_channel = " . intval($a->profile['profile_uid']) . " ";
$simple_update = (($update) ? " AND item_unseen = 1 " : '');