diff options
author | git-marijus <mario@mariovavti.com> | 2017-08-01 23:20:39 +0200 |
---|---|---|
committer | git-marijus <mario@mariovavti.com> | 2017-08-01 23:20:39 +0200 |
commit | 599b395e247c991756c7cf5db29608b2c817f476 (patch) | |
tree | c82d8f3b05e0c9911a4c50cd994f8eae8c27ddb9 /include/attach.php | |
parent | aa766b53d6a51cd0c31022f7afed2e63fc62ced2 (diff) | |
download | volse-hubzilla-599b395e247c991756c7cf5db29608b2c817f476.tar.gz volse-hubzilla-599b395e247c991756c7cf5db29608b2c817f476.tar.bz2 volse-hubzilla-599b395e247c991756c7cf5db29608b2c817f476.zip |
finally fix recursive attachments permissions
Diffstat (limited to 'include/attach.php')
-rw-r--r-- | include/attach.php | 133 |
1 files changed, 79 insertions, 54 deletions
diff --git a/include/attach.php b/include/attach.php index d19de2ea3..79a38590b 100644 --- a/include/attach.php +++ b/include/attach.php @@ -1605,7 +1605,10 @@ function file_activity($channel_id, $object, $allow_cid, $allow_gid, $deny_cid, $folder_hash = $object['folder']; - $r_perms = recursive_activity_recipients($arr_allow_cid, $arr_allow_gid, $arr_deny_cid, $arr_deny_gid, $folder_hash); + $r_perms = attach_recursive_perms($arr_allow_cid, $arr_allow_gid, $arr_deny_cid, $arr_deny_gid, $folder_hash); + + if($r_perms === false) //nobody has recursive perms - nobody must be notified + return; //split up returned perms $arr_allow_cid = $r_perms['allow_cid']; @@ -1768,7 +1771,7 @@ function get_file_activity_object($channel_id, $hash, $url) { } /** - * @brief Returns array of channels which have recursive permission for a file + * @brief Returns recursive permissions array or false if nobody has recursive permissions * * @param array $arr_allow_cid * @param array $arr_allow_gid @@ -1776,19 +1779,20 @@ function get_file_activity_object($channel_id, $hash, $url) { * @param array $arr_deny_gid * @param string $folder_hash */ -function recursive_activity_recipients($arr_allow_cid, $arr_allow_gid, $arr_deny_cid, $arr_deny_gid, $folder_hash) { +function attach_recursive_perms($arr_allow_cid, $arr_allow_gid, $arr_deny_cid, $arr_deny_gid, $folder_hash) { $ret = array(); $parent_arr = array(); $count_values = array(); $poster = App::get_observer(); - //turn allow_gid into allow_cid's - foreach($arr_allow_gid as $gid) { - $in_group = group_get_members($gid); + //lookup all channels in sharee group and add them to sharee $arr_allow_cid + if($arr_allow_gid) { + $in_group = expand_groups($arr_allow_gid); $arr_allow_cid = array_unique(array_merge($arr_allow_cid, $in_group)); } + //count existing parent folders - we will compare to that count later $count = 0; while($folder_hash) { $x = q("SELECT allow_cid, allow_gid, deny_cid, deny_gid, folder FROM attach WHERE hash = '%s' LIMIT 1", @@ -1797,30 +1801,20 @@ function recursive_activity_recipients($arr_allow_cid, $arr_allow_gid, $arr_deny //only process private folders if($x[0]['allow_cid'] || $x[0]['allow_gid'] || $x[0]['deny_cid'] || $x[0]['deny_gid']) { - $parent_arr['allow_cid'][] = expand_acl($x[0]['allow_cid']); $parent_arr['allow_gid'][] = expand_acl($x[0]['allow_gid']); - - /** - * @TODO should find a much better solution for the allow_cid <-> allow_gid problem. - * Do not use allow_gid for now. Instead lookup the members of the group directly and add them to allow_cid. - * */ - if($parent_arr['allow_gid']) { - foreach($parent_arr['allow_gid'][$count] as $gid) { - $in_group = group_get_members($gid); - $parent_arr['allow_cid'][$count] = array_unique(array_merge($parent_arr['allow_cid'][$count], $in_group)); - } - } - $parent_arr['deny_cid'][] = expand_acl($x[0]['deny_cid']); $parent_arr['deny_gid'][] = expand_acl($x[0]['deny_gid']); + //this is the number of all existing parent folders - we will compare to that count later $count++; } $folder_hash = $x[0]['folder']; } + //logger(EOL . 'parent_arr: ' . print_r($parent_arr,true)); + //if none of the parent folders is private just return file perms if(!$parent_arr['allow_cid'] && !$parent_arr['allow_gid'] && !$parent_arr['deny_cid'] && !$parent_arr['deny_gid']) { $ret['allow_gid'] = $arr_allow_gid; @@ -1831,7 +1825,7 @@ function recursive_activity_recipients($arr_allow_cid, $arr_allow_gid, $arr_deny return $ret; } - //if there are no perms on the file we get them from the first parent folder + //if there are no perms on the file we will work with the perms from the first parent folder if(!$arr_allow_cid && !$arr_allow_gid && !$arr_deny_cid && !$arr_deny_gid) { $arr_allow_cid = $parent_arr['allow_cid'][0]; $arr_allow_gid = $parent_arr['allow_gid'][0]; @@ -1839,52 +1833,83 @@ function recursive_activity_recipients($arr_allow_cid, $arr_allow_gid, $arr_deny $arr_deny_gid = $parent_arr['deny_gid'][0]; } - //allow_cid - $r_arr_allow_cid = false; - foreach ($parent_arr['allow_cid'] as $folder_arr_allow_cid) { - foreach ($folder_arr_allow_cid as $ac_hash) { - $count_values[$ac_hash]++; + + /*** + * + * check if sharee has perms for all parent folders + * + ***/ + + $r_arr_allow_cid = []; + + if($parent_arr['allow_cid']) { + //check sharee arr_allow_cid against allow_cid of all parent folders + foreach($parent_arr['allow_cid'] as $folder_arr_allow_cid) { + foreach($folder_arr_allow_cid as $ac_hash) { + $count_values[$ac_hash]++; + } } - } - foreach ($arr_allow_cid as $fac_hash) { - if($count_values[$fac_hash] == $count) - $r_arr_allow_cid[] = $fac_hash; + foreach($arr_allow_cid as $fac_hash) { + if($count_values[$fac_hash] == $count) + $r_arr_allow_cid[] = $fac_hash; + } + //logger(EOL . 'r_arr_allow_cid: ' . print_r($r_arr_allow_cid,true)); } - //allow_gid - $r_arr_allow_gid = false; - foreach ($parent_arr['allow_gid'] as $folder_arr_allow_gid) { - foreach ($folder_arr_allow_gid as $ag_hash) { - $count_values[$ag_hash]++; + if($parent_arr['allow_gid']) { + //check sharee arr_allow_cid against members of allow_gid of all parent folders + foreach($parent_arr['allow_gid'] as $folder_arr_allow_gid) { + //get the group members + $folder_arr_allow_cid = expand_groups($folder_arr_allow_gid); + foreach($folder_arr_allow_cid as $ac_hash) { + $count_values[$ac_hash]++; + } } - } - foreach ($arr_allow_gid as $fag_hash) { - if($count_values[$fag_hash] == $count) - $r_arr_allow_gid[] = $fag_hash; + foreach($arr_allow_cid as $fac_hash) { + if($count_values[$fac_hash] == $count) + $r_arr_allow_cid[] = $fac_hash; + } + //logger(EOL . 'groups - r_arr_allow_cid: ' . print_r($r_arr_allow_cid,true)); } - //deny_gid - foreach($parent_arr['deny_gid'] as $folder_arr_deny_gid) { - $r_arr_deny_gid = array_merge($arr_deny_gid, $folder_arr_deny_gid); - } - $r_arr_deny_gid = array_unique($r_arr_deny_gid); + + /*** + * + * check if sharee is denied somewhere in parent folders and deny him if so + * + ***/ //deny_cid - foreach($parent_arr['deny_cid'] as $folder_arr_deny_cid) { - $r_arr_deny_cid = array_merge($arr_deny_cid, $folder_arr_deny_cid); + $r_arr_deny_cid = []; + + if($parent_arr['deny_cid']) { + foreach($parent_arr['deny_cid'] as $folder_arr_deny_cid) { + $r_arr_deny_cid = array_merge($arr_deny_cid, $folder_arr_deny_cid); + } + $r_arr_deny_cid = array_unique($r_arr_deny_cid); + //logger(EOL . 'r_arr_deny_cid: ' . print_r($r_arr_deny_cid,true)); } - $r_arr_deny_cid = array_unique($r_arr_deny_cid); - //if none is allowed restrict to self - if(($r_arr_allow_gid === false) && ($r_arr_allow_cid === false)) { - $ret['allow_cid'] = [$poster['xchan_hash']]; - } else { - $ret['allow_gid'] = $r_arr_allow_gid; - $ret['allow_cid'] = $r_arr_allow_cid; - $ret['deny_gid'] = $r_arr_deny_gid; - $ret['deny_cid'] = $r_arr_deny_cid; + //deny_gid + $r_arr_deny_gid = []; + + if($parent_arr['deny_cid']) { + foreach($parent_arr['deny_gid'] as $folder_arr_deny_gid) { + $r_arr_deny_gid = array_merge($arr_deny_gid, $folder_arr_deny_gid); + } + $r_arr_deny_gid = array_unique($r_arr_deny_gid); + //logger(EOL . 'r_arr_deny_gid: ' . print_r($r_arr_dr_arr_deny_gideny_cid,true)); } + //if no channel is allowed return false + if(! $r_arr_allow_cid) + return false; + + $ret['allow_gid'] = []; // eventual group members are already collected in $r_arr_allow_cid + $ret['allow_cid'] = $r_arr_allow_cid; + $ret['deny_gid'] = $r_arr_deny_gid; + $ret['deny_cid'] = $r_arr_deny_cid; + return $ret; } |