diff options
author | habeascodice <habeascodice@federated.social> | 2014-11-13 13:30:29 -0800 |
---|---|---|
committer | habeascodice <habeascodice@federated.social> | 2014-11-13 13:30:29 -0800 |
commit | 2dbecf95454993cdf4996d2d65463d7759cd479b (patch) | |
tree | cbef39a4779efed1c0ab3b61a9ff09e37fadb49e /include/security.php | |
parent | bc02b933727da7a000d43d2d7d495f066616dc81 (diff) | |
parent | ac27db22c18ee7a82a52cbadb3efe2760b910499 (diff) | |
download | volse-hubzilla-2dbecf95454993cdf4996d2d65463d7759cd479b.tar.gz volse-hubzilla-2dbecf95454993cdf4996d2d65463d7759cd479b.tar.bz2 volse-hubzilla-2dbecf95454993cdf4996d2d65463d7759cd479b.zip |
Merge branch 'master' of https://github.com/habeascodice/red
Diffstat (limited to 'include/security.php')
-rw-r--r-- | include/security.php | 31 |
1 files changed, 17 insertions, 14 deletions
diff --git a/include/security.php b/include/security.php index e83cc7061..8066a76f6 100644 --- a/include/security.php +++ b/include/security.php @@ -12,7 +12,7 @@ function authenticate_success($user_record, $login_initial = false, $interactive $_SESSION['authenticated'] = 1; if($login_initial || $update_lastlog) { - q("update account set account_lastlog = '%s' where account_id = %d limit 1", + q("update account set account_lastlog = '%s' where account_id = %d", dbesc(datetime_convert()), intval($_SESSION['account_id']) ); @@ -59,7 +59,7 @@ function authenticate_success($user_record, $login_initial = false, $interactive /* This account has never created a channel. Send them to new_channel by default */ if($a->module === 'login') { - $r = q("select count(channel_id) as total from channel where channel_account_id = %d and not ( channel_pageflags & %d)", + $r = q("select count(channel_id) as total from channel where channel_account_id = %d and not ( channel_pageflags & %d)>0", intval($a->account['account_id']), intval(PAGE_REMOVED) ); @@ -76,7 +76,7 @@ function change_channel($change_channel) { $ret = false; if($change_channel) { - $r = q("select channel.*, xchan.* from channel left join xchan on channel.channel_hash = xchan.xchan_hash where channel_id = %d and channel_account_id = %d and not ( channel_pageflags & %d) limit 1", + $r = q("select channel.*, xchan.* from channel left join xchan on channel.channel_hash = xchan.xchan_hash where channel_id = %d and channel_account_id = %d and not ( channel_pageflags & %d)>0 limit 1", intval($change_channel), intval(get_account_id()), intval(PAGE_REMOVED) @@ -86,7 +86,7 @@ function change_channel($change_channel) { if (is_developer()) { if (! $r) { if (is_site_admin()) { - $r = q("select channel.*, xchan.* from channel left join xchan on channel.channel_hash = xchan.xchan_hash where channel_id = %d and ( channel_pageflags & %d) and not (channel_pageflags & %d ) limit 1", + $r = q("select channel.*, xchan.* from channel left join xchan on channel.channel_hash = xchan.xchan_hash where channel_id = %d and ( channel_pageflags & %d) and not (channel_pageflags & %d )>0 limit 1", intval($change_channel), intval(PAGE_SYSTEM), intval(PAGE_REMOVED) @@ -174,9 +174,10 @@ function permissions_sql($owner_id,$remote_verified = false,$groups = null) { foreach($groups as $g) $gs .= '|<' . $g . '>'; } + $regexop = db_getfunc('REGEXP'); $sql = sprintf( - " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s') - AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) + " AND ( NOT (deny_cid like '%s' OR deny_gid $regexop '%s') + AND ( allow_cid like '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '') ) ) ", dbesc(protect_sprintf( '%<' . $observer . '>%')), @@ -204,7 +205,7 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null) * default permissions - anonymous user */ - $sql = " AND not item_private "; + $sql = " AND item_private=0 "; /** @@ -235,10 +236,11 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null) if(is_array($groups) && count($groups)) { foreach($groups as $g) $gs .= '|<' . $g . '>'; - } + } + $regexop = db_getfunc('REGEXP'); $sql = sprintf( - " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s') - AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) + " AND ( NOT (deny_cid like '%s' OR deny_gid $regexop '%s') + AND ( allow_cid like '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '') ) ) ", dbesc(protect_sprintf( '%<' . $observer . '>%')), @@ -264,9 +266,10 @@ function public_permissions_sql($observer_hash) { } $sql = ''; if($observer_hash) { + $regexop = db_getfunc('REGEXP'); $sql = sprintf( - " OR (( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s') - AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) + " OR (( NOT (deny_cid like '%s' OR deny_gid $regexop '%s') + AND ( allow_cid like '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '') ) )) ", dbesc(protect_sprintf( '%<' . $observer_hash . '>%')), @@ -375,7 +378,7 @@ function stream_perms_api_uids($perms = NULL ) { $ret = array(); if(local_user()) $ret[] = local_user(); - $r = q("select channel_id from channel where channel_r_stream > 0 and (channel_r_stream & %d) and not (channel_pageflags & %d)", + $r = q("select channel_id from channel where channel_r_stream > 0 and (channel_r_stream & %d)>0 and not (channel_pageflags & %d)>0", intval($perms), intval(PAGE_CENSORED|PAGE_SYSTEM|PAGE_REMOVED) ); @@ -402,7 +405,7 @@ function stream_perms_xchans($perms = NULL ) { if(local_user()) $ret[] = get_observer_hash(); - $r = q("select channel_hash from channel where channel_r_stream > 0 and (channel_r_stream & %d) and not (channel_pageflags & %d)", + $r = q("select channel_hash from channel where channel_r_stream > 0 and (channel_r_stream & %d)>0 and not (channel_pageflags & %d)>0", intval($perms), intval(PAGE_CENSORED|PAGE_SYETEM|PAGE_REMOVED) ); |