aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs/Module
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2017-03-13 16:19:47 -0700
committerzotlabs <mike@macgirvin.com>2017-03-13 16:19:47 -0700
commit58aa0f3e1a52a0c20016a4330100231ad505e6e4 (patch)
treea599768b88ac95a8c8bc395371b249dd5ab518d4 /Zotlabs/Module
parent02b390d7b867750aa466f912a8e1024d35ebf4e8 (diff)
downloadvolse-hubzilla-58aa0f3e1a52a0c20016a4330100231ad505e6e4.tar.gz
volse-hubzilla-58aa0f3e1a52a0c20016a4330100231ad505e6e4.tar.bz2
volse-hubzilla-58aa0f3e1a52a0c20016a4330100231ad505e6e4.zip
code_allowed is a real mess. Start the cleanup by remving the account level code allow and limiting to specific channels only. This reduces the possibility of cross channel security issues coming into play. Then provide a single function for checking the code permission. This is only partially done as we often need to check against the observer or logged in channel as well as the resource owner to ensure that this only returns true for local channels which also own the requested resource.
Diffstat (limited to 'Zotlabs/Module')
-rw-r--r--Zotlabs/Module/Impel.php14
-rw-r--r--Zotlabs/Module/Item.php14
2 files changed, 4 insertions, 24 deletions
diff --git a/Zotlabs/Module/Impel.php b/Zotlabs/Module/Impel.php
index 197d9f859..77f488d26 100644
--- a/Zotlabs/Module/Impel.php
+++ b/Zotlabs/Module/Impel.php
@@ -144,18 +144,8 @@ class Impel extends \Zotlabs\Web\Controller {
// Verify ability to use html or php!!!
- $execflag = false;
-
- if($arr['mimetype'] === 'application/x-php') {
- $z = q("select account_id, account_roles, channel_pageflags from account left join channel on channel_account_id = account_id where channel_id = %d limit 1",
- intval(local_channel())
- );
-
- if($z && (($z[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE) || ($z[0]['channel_pageflags'] & PAGE_ALLOWCODE))) {
- $execflag = true;
- }
- }
-
+ $execflag = ((intval($channel['channel_id']) == intval(local_channel()) && ($channel['channel_pageflags'] & PAGE_ALLOWCODE)) ? true : false);
+
$i = q("select id, edited, item_deleted from item where mid = '%s' and uid = %d limit 1",
dbesc($arr['mid']),
intval(local_channel())
diff --git a/Zotlabs/Module/Item.php b/Zotlabs/Module/Item.php
index afac1542d..43cf535a4 100644
--- a/Zotlabs/Module/Item.php
+++ b/Zotlabs/Module/Item.php
@@ -478,18 +478,8 @@ class Item extends \Zotlabs\Web\Controller {
// Verify ability to use html or php!!!
- $execflag = false;
-
- $z = q("select account_id, account_roles, channel_pageflags from account left join channel on channel_account_id = account_id
- where channel_id = %d limit 1",
- intval($profile_uid)
- );
- if($z && (($z[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE) || ($z[0]['channel_pageflags'] & PAGE_ALLOWCODE))) {
- if($uid && (intval(get_account_id()) == intval($z[0]['account_id']))) {
- $execflag = true;
- }
- }
-
+ $execflag = ((intval($channel['channel_id']) == intval($profile_uid) && ($channel['channel_pageflags'] & PAGE_ALLOWCODE)) ? true : false);
+
$gacl = $acl->get();
$str_contact_allow = $gacl['allow_cid'];
$str_group_allow = $gacl['allow_gid'];