diff options
| author | Mario <mario@mariovavti.com> | 2019-02-20 08:52:13 +0100 |
|---|---|---|
| committer | Mario <mario@mariovavti.com> | 2019-02-20 08:52:13 +0100 |
| commit | 65e8ed6871ba40b1582853cf3e20822232226b24 (patch) | |
| tree | eaf2eff7a7d5a9902f93554bfd29e2e1dbbfac37 /Zotlabs/Module/Filestorage.php | |
| parent | cead10b9af6ff9d8b1bc702ca21d27af7c2112f0 (diff) | |
| parent | a77d7b844240030a764455b78b1b13fc886322f5 (diff) | |
| download | volse-hubzilla-65e8ed6871ba40b1582853cf3e20822232226b24.tar.gz volse-hubzilla-65e8ed6871ba40b1582853cf3e20822232226b24.tar.bz2 volse-hubzilla-65e8ed6871ba40b1582853cf3e20822232226b24.zip | |
Merge branch 'dev' into 'dev'
basic support for nomadic content, fix for permitted guests deleting their own files in cloud space of other channel,urlencode category widget links
See merge request hubzilla/core!1523
Diffstat (limited to 'Zotlabs/Module/Filestorage.php')
| -rw-r--r-- | Zotlabs/Module/Filestorage.php | 40 |
1 files changed, 30 insertions, 10 deletions
diff --git a/Zotlabs/Module/Filestorage.php b/Zotlabs/Module/Filestorage.php index 23bd63f95..2c247cd65 100644 --- a/Zotlabs/Module/Filestorage.php +++ b/Zotlabs/Module/Filestorage.php @@ -5,6 +5,8 @@ namespace Zotlabs\Module; * */ + + class Filestorage extends \Zotlabs\Web\Controller { function post() { @@ -71,14 +73,6 @@ class Filestorage extends \Zotlabs\Web\Controller { return; } - // Since we have ACL'd files in the wild, but don't have ACL here yet, we - // need to return for anyone other than the owner, despite the perms check for now. - - $is_owner = (((local_channel()) && ($owner == local_channel())) ? true : false); - if(! ($is_owner || is_site_admin())){ - info( t('Permission Denied.') . EOL ); - return; - } if(argc() > 3 && argv(3) === 'delete') { @@ -101,18 +95,31 @@ class Filestorage extends \Zotlabs\Web\Controller { } $file = intval(argv(2)); - $r = q("SELECT hash FROM attach WHERE id = %d AND uid = %d LIMIT 1", + $r = q("SELECT hash, creator FROM attach WHERE id = %d AND uid = %d LIMIT 1", dbesc($file), intval($owner) ); if(! $r) { + notice( t('File not found.') . EOL); + if($json_return) json_return_and_die([ 'success' => false ]); - notice( t('File not found.') . EOL); goaway(z_root() . '/cloud/' . $which); } + if(local_channel() !== $owner) { + if($r[0]['creator'] && $r[0]['creator'] !== $ob_hash) { + notice( t('Permission denied.') . EOL); + + if($json_return) + json_return_and_die([ 'success' => false ]); + + goaway(z_root() . '/cloud/' . $which); + } + } + + $f = $r[0]; $channel = channelx_by_n($owner); @@ -134,6 +141,19 @@ class Filestorage extends \Zotlabs\Web\Controller { goaway(dirname($url)); } + + + + // Since we have ACL'd files in the wild, but don't have ACL here yet, we + // need to return for anyone other than the owner, despite the perms check for now. + + $is_owner = (((local_channel()) && ($owner == local_channel())) ? true : false); + if(! ($is_owner || is_site_admin())){ + info( t('Permission Denied.') . EOL ); + return; + } + + if(argc() > 3 && argv(3) === 'edit') { require_once('include/acl_selectors.php'); if(! $perms['write_storage']) { |