aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs/Module/Oep.php
diff options
context:
space:
mode:
authorMario <mario@mariovavti.com>2023-06-19 19:47:01 +0000
committerMario <mario@mariovavti.com>2023-06-19 19:47:01 +0000
commit489ba72d5c447a89ad5c5b8c212dd8e049879a7f (patch)
tree4d519bc3874f8d6c78685e6365cf26919f5cb45d /Zotlabs/Module/Oep.php
parent5df9779669505f12d97988ab9560ed298675eb69 (diff)
downloadvolse-hubzilla-489ba72d5c447a89ad5c5b8c212dd8e049879a7f.tar.gz
volse-hubzilla-489ba72d5c447a89ad5c5b8c212dd8e049879a7f.tar.bz2
volse-hubzilla-489ba72d5c447a89ad5c5b8c212dd8e049879a7f.zip
fix issues in mod oep
Diffstat (limited to 'Zotlabs/Module/Oep.php')
-rw-r--r--Zotlabs/Module/Oep.php52
1 files changed, 35 insertions, 17 deletions
diff --git a/Zotlabs/Module/Oep.php b/Zotlabs/Module/Oep.php
index bf17e6436..37a46a23e 100644
--- a/Zotlabs/Module/Oep.php
+++ b/Zotlabs/Module/Oep.php
@@ -28,7 +28,6 @@ class Oep extends \Zotlabs\Web\Controller {
$format = $_REQUEST['format'] ?? '';
if($format && $format !== 'json')
http_status_exit(501, 'Not implemented');
-
if(fnmatch('*/photos/*/album/*',$url))
$arr = $this->oep_album_reply($_REQUEST);
elseif(fnmatch('*/photos/*/image/*',$url))
@@ -95,12 +94,12 @@ class Oep extends \Zotlabs\Web\Controller {
$c = channelx_by_n($p[0]['uid']);
-
if(! ($c && $res))
return;
- if(! perm_is_allowed($c[0]['channel_id'],get_observer_hash(),'view_stream'))
+ if(! perm_is_allowed($c['channel_id'], get_observer_hash(), 'view_stream')) {
return;
+ }
$sql_extra = item_permissions_sql($c['channel_id']);
@@ -336,32 +335,51 @@ class Oep extends \Zotlabs\Web\Controller {
$maxwidth = ((isset($args['maxwidth'])) ? $args['maxwidth'] : 0);
$maxheight = ((isset($args['maxheight'])) ? $args['maxheight'] : 0);
- if(preg_match('#//(.*?)/(.*?)/(.*?)/(.*?)mid\=(.*?)(&|$)#',$url,$matches)) {
- $chn = $matches[3];
- $res = $matches[5];
+ $parsed = parse_url($url);
+ if (empty($parsed['path'])) {
+ return;
}
- if(! ($chn && $res))
+ $nick = basename($parsed['path']);
+ if (!$nick) {
return;
+ }
- $c = q("select * from channel where channel_address = '%s' limit 1",
- dbesc($chn)
- );
+ if (empty($parsed['query'])) {
+ return;
+ }
- if(! $c)
+ parse_str($parsed['query'], $query);
+
+ if (empty($query['mid'])) {
return;
+ }
- if(! perm_is_allowed($c[0]['channel_id'],get_observer_hash(),'view_stream'))
+ $mid = unpack_link_id($query['mid']);
+ if (!$mid) {
return;
+ }
- $sql_extra = item_permissions_sql($c[0]['channel_id']);
+ $c = channelx_by_nick($nick);
+ if(! $c) {
+ return;
+ }
- $p = q("select * from item where mid = '%s' and uid = %d $sql_extra limit 1",
- dbesc($res),
- intval($c[0]['channel_id'])
+ if(! perm_is_allowed($c['channel_id'], get_observer_hash(), 'view_stream')) {
+ return;
+ }
+
+ $sql_extra = item_permissions_sql($c['channel_id']);
+ $item_normal = item_normal();
+
+ $p = q("select * from item where mid = '%s' and uid = %d $sql_extra $item_normal limit 1",
+ dbesc($mid),
+ intval($c['channel_id'])
);
- if(! $p)
+
+ if(! $p) {
return;
+ }
xchan_query($p,true);
$p = fetch_post_tags($p,true);