aboutsummaryrefslogtreecommitdiffstats
path: root/include/import.php
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2017-03-13 16:19:47 -0700
committerMario Vavti <mario@mariovavti.com>2017-03-29 13:32:23 +0200
commit0f7832dc30fb4d8aedd24b6ad8a9e48876a77dd0 (patch)
tree86d0d53082292dfeb2b4230b36f5675da35db36a /include/import.php
parent107083e3e49ddb91de7df5133fc6771721e31e10 (diff)
downloadvolse-hubzilla-0f7832dc30fb4d8aedd24b6ad8a9e48876a77dd0.tar.gz
volse-hubzilla-0f7832dc30fb4d8aedd24b6ad8a9e48876a77dd0.tar.bz2
volse-hubzilla-0f7832dc30fb4d8aedd24b6ad8a9e48876a77dd0.zip
code_allowed is a real mess. Start the cleanup by remving the account level code allow and limiting to specific channels only. This reduces the possibility of cross channel security issues coming into play. Then provide a single function for checking the code permission. This is only partially done as we often need to check against the observer or logged in channel as well as the resource owner to ensure that this only returns true for local channels which also own the requested resource.
Diffstat (limited to 'include/import.php')
-rw-r--r--include/import.php34
1 files changed, 3 insertions, 31 deletions
diff --git a/include/import.php b/include/import.php
index ac634639e..d0e15c89d 100644
--- a/include/import.php
+++ b/include/import.php
@@ -528,16 +528,8 @@ function sync_chatrooms($channel,$chatrooms) {
function import_items($channel,$items,$sync = false,$relocate = null) {
if($channel && $items) {
- $allow_code = false;
- $r = q("select account_id, account_roles, channel_pageflags from account left join channel on channel_account_id = account_id
- where channel_id = %d limit 1",
- intval($channel['channel_id'])
- );
- if($r) {
- if(($r[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE) || ($r[0]['channel_pageflags'] & PAGE_ALLOWCODE)) {
- $allow_code = true;
- }
- }
+
+ $allow_code = channel_codeallowed($channel['channel_id']);
$deliver = false; // Don't deliver any messages or notifications when importing
@@ -1352,28 +1344,8 @@ function import_webpage_element($element, $channel, $type) {
}
// Verify ability to use html or php!!!
- $execflag = false;
- if($arr['mimetype'] === 'application/x-php' || $arr['mimetype'] === 'text/html') {
- $z = q("select account_id, account_roles, channel_pageflags from account "
- . "left join channel on channel_account_id = account_id where channel_id = %d limit 1",
- intval(local_channel())
- );
- if($z && (($z[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE) || ($z[0]['channel_pageflags'] & PAGE_ALLOWCODE))) {
- $execflag = true;
- }
- else {
- logger('Unable to import element "' . $name .'" because AllowCode permission is denied.');
- notice( t('Unable to import element "' . $name .'" because AllowCode permission is denied.') . EOL);
- $element['import_success'] = 0;
- return $element;
- }
- }
-
-// $z = q("select * from iconfig where v = '%s' and k = '%s' and cat = 'system' limit 1",
-// dbesc($name),
-// dbesc($namespace)
-// );
+ $execflag = channel_codeallowed(local_channel());
$i = q("select id, edited, item_deleted from item where mid = '%s' and uid = %d limit 1",
dbesc($arr['mid']),