Merge branch '8.6RC'8.6

1 files changed, 158 insertions, 21 deletions

diff --git a/include/items.php b/include/items.php
index f6a93cc2c..d88a676a1 100644
--- a/include/items.php
+++ b/include/items.php
@@ -53,35 +53,28 @@ function collect_recipients($item, &$private_envelope,$include_groups = true) {
 			$allow_groups = [];
 		}
 
-		$recipients = array_unique(array_merge($allow_people,$allow_groups));
+		$raw_recipients = array_unique(array_merge($allow_people, $allow_groups));
+		$recipients = deliverable_abook_xchans($item['uid'], $raw_recipients);
 
 		// if you specifically deny somebody but haven't allowed anybody, we'll allow everybody in your
 		// address book minus the denied connections. The post is still private and can't be seen publicly
 		// as that would allow the denied person to see the post by logging out.
 
-		if((! $item['allow_cid']) && (! $item['allow_gid'])) {
-			$r = q("select * from abook where abook_channel = %d and abook_self = 0 and abook_pending = 0 and abook_archived = 0 ",
-				intval($item['uid'])
-			);
-
-			if($r) {
-				foreach($r as $rr) {
-					$recipients[] = $rr['abook_xchan'];
-				}
-			}
+		if(!$item['allow_cid'] && !$item['allow_gid']) {
+			$recipients = deliverable_abook_xchans($item['uid']);
 		}
 
 		$deny_people  = expand_acl($item['deny_cid']);
 		$deny_groups  = AccessList::expand(expand_acl($item['deny_gid']));
 
-		$deny = array_unique(array_merge($deny_people,$deny_groups));
+		$deny = array_unique(array_merge($deny_people, $deny_groups));
 
 		// Don't deny anybody if nobody was allowed (e.g. they were all filtered out)
 		// That would lead to array_diff doing the wrong thing.
 		// This will result in a private post that won't be delivered to anybody.
 
 		if($recipients && $deny)
-			$recipients = array_diff($recipients,$deny);
+			$recipients = array_diff($recipients, $deny);
 
 		$private_envelope = true;
 	}
@@ -112,9 +105,7 @@ function collect_recipients($item, &$private_envelope,$include_groups = true) {
 			if ($hookinfo['recipients']) {
 				$r = $hookinfo['recipients'];
 			} else {
-				$r = q("select abook_xchan, xchan_network from abook left join xchan on abook_xchan = xchan_hash where abook_channel = %d and abook_self = 0 and abook_pending = 0 and abook_archived = 0 and abook_not_here = 0 and xchan_network not in ('anon', 'token', 'rss')",
-					intval($item['uid'])
-				);
+				$r = deliverable_abook_xchans($item['uid'], [], false);
 			}
 
 			if($r) {
@@ -242,9 +233,21 @@ function comments_are_now_closed($item) {
 }
 
 function item_normal() {
-	return " and item.item_hidden = 0 and item.item_type = 0 and item.item_deleted = 0
-		and item.item_unpublished = 0 and item.item_delayed = 0 and item.item_pending_remove = 0
-		and item.item_blocked = 0 ";
+	$profile_uid = App::$profile['profile_uid'] ?? App::$profile_uid ?? null;
+	$uid = local_channel();
+	$is_owner = ($uid && intval($profile_uid) === $uid);
+
+	$sql = " and item.item_hidden = 0 and item.item_type = 0 and item.item_deleted = 0
+		and item.item_unpublished = 0 and item.item_pending_remove = 0";
+
+	if ($is_owner) {
+		$sql .= " and item.item_blocked IN (0, " . intval(ITEM_MODERATED) . ") and item.item_delayed IN (0, 1) ";
+	}
+	else {
+		$sql .= " and item.item_blocked = 0 and item.item_delayed = 0 ";
+	}
+
+	return $sql;
 }
 
 function item_normal_search() {
@@ -2448,13 +2451,17 @@ function send_status_notifications($post_id,$item) {
 			intval($item['uid'])
 		);
 
-		$thr_parent_id = $r[0]['id'];
+		if ($r) {
+			$thr_parent_id = $r[0]['id'];
+		}
+
 	}
 
 	$r = q("select channel_hash from channel where channel_id = %d limit 1",
 		intval($item['uid'])
 	);
-	if(! $r)
+
+	if(!$r)
 		return;
 
 	// my own post - no notification needed
@@ -5009,6 +5016,136 @@ function fix_attached_file_permissions($channel,$observer_hash,$body,
 	}
 }
 
+function list_attached_local_files($body) {
+
+	$files = [];
+	$match = [];
+
+	// match img and zmg image links
+	if (preg_match_all("/\[[zi]mg(.*?)](.*?)\[\/[zi]mg]/", $body, $match)) {
+		$images = array_merge($match[1], $match[2]);
+		if ($images) {
+			foreach ($images as $image) {
+				if (!stristr($image, z_root() . '/photo/')) {
+					continue;
+				}
+				$image_uri = substr($image,strrpos($image,'/') + 1);
+				if (str_contains($image_uri, '-')) {
+					$image_uri = substr($image_uri,0, strrpos($image_uri,'-'));
+				}
+				if (str_contains($image_uri, '.')) {
+					$image_uri = substr($image_uri,0, strpos($image_uri,'.'));
+				}
+				if ($image_uri && !in_array($image_uri, $files)) {
+					$files[] = $image_uri;
+				}
+			}
+		}
+	}
+	if (preg_match_all("/\[attachment](.*?)\[\/attachment]/",$body,$match)) {
+		$attaches = $match[1];
+		if ($attaches) {
+			foreach ($attaches as $attach) {
+				$hash = substr($attach,0,strpos($attach,','));
+				if ($hash && !in_array($hash, $files)) {
+					$files[] = $hash;
+				}
+			}
+		}
+	}
+
+	return $files;
+}
+
+function fix_attached_permissions($uid, $body, $str_contact_allow, $str_group_allow, $str_contact_deny, $str_group_deny, $token = EMPTY_STR) {
+
+	$files = list_attached_local_files($body);
+
+	if (! $files) {
+		return;
+	}
+
+	foreach ($files as $file) {
+		$attach_q = q("select id, hash, flags, is_photo, allow_cid, allow_gid, deny_cid, deny_gid from attach where hash = '%s' and uid = %d",
+			dbesc($file),
+			intval($uid)
+		);
+
+		if (! $attach_q) {
+			continue;
+		}
+
+		$attach = array_shift($attach_q);
+
+		$new_public = !(($str_contact_allow || $str_group_allow || $str_contact_deny || $str_group_deny));
+		$existing_public = !(($attach['allow_cid'] || $attach['allow_gid'] || $attach['deny_cid'] || $attach['deny_gid']));
+
+		if ($existing_public) {
+			// permissions have already been fixed and they are public. There's nothing for us to do.
+			continue;
+		}
+
+		// if flags & 1, the attachment was uploaded directly into a post and needs to have permissions corrected
+		// or - if it is a private file and a new token was generated, we'll need to add the token to the ACL.
+
+		if (((intval($attach['flags']) & 1) !== 1) && (! $token)) {
+			continue;
+		}
+
+		$item_private = 0;
+
+		if ($new_public === false) {
+			$item_private = (($str_group_allow || ($str_contact_allow && substr_count($str_contact_allow,'<') > 2)) ? 1 : 2);
+
+			// preserve any existing tokens that may have been set for this file
+			$token_matches = null;
+			if (preg_match_all('/<token:(.*?)>/',$attach['allow_cid'],$token_matches, PREG_SET_ORDER)) {
+				foreach ($token_matches as $m) {
+					$tok = '<token:' . $m[1] . '>';
+					if (!str_contains($str_contact_allow, $tok)) {
+						$str_contact_allow .= $tok;
+					}
+				}
+			}
+			if ($token && !str_contains($str_contact_allow, $token)) {
+				$str_contact_allow .= '<token:' . $token . '>';
+			}
+		}
+
+		q("update attach SET allow_cid = '%s', allow_gid = '%s', deny_cid = '%s', deny_gid = '%s', flags = 0
+			WHERE id = %d AND uid = %d",
+			dbesc($str_contact_allow),
+			dbesc($str_group_allow),
+			dbesc($str_contact_deny),
+			dbesc($str_group_deny),
+			intval($attach['id']),
+			intval($uid)
+		);
+
+		if ($attach['is_photo']) {
+			$r = q("UPDATE photo SET allow_cid = '%s', allow_gid = '%s', deny_cid = '%s', deny_gid = '%s'
+				WHERE resource_id = '%s' AND uid = %d ",
+				dbesc($str_contact_allow),
+				dbesc($str_group_allow),
+				dbesc($str_contact_deny),
+				dbesc($str_group_deny),
+				dbesc($file),
+				intval($uid)
+			);
+
+			$r = q("UPDATE item SET allow_cid = '%s', allow_gid = '%s', deny_cid = '%s', deny_gid = '%s', item_private = %d
+				WHERE resource_id = '%s' AND 'resource_type' = 'photo'  AND uid = %d",
+				dbesc($str_contact_allow),
+				dbesc($str_group_allow),
+				dbesc($str_contact_deny),
+				dbesc($str_group_deny),
+				intval($item_private),
+				dbesc($file),
+				intval($uid)
+			);
+		}
+	}
+}
 
 function item_create_edit_activity($post) {