aboutsummaryrefslogtreecommitdiffstats
path: root/include/security.php
diff options
context:
space:
mode:
authorhabeascodice <habeascodice@federated.social>2014-11-13 13:30:29 -0800
committerhabeascodice <habeascodice@federated.social>2014-11-13 13:30:29 -0800
commit2dbecf95454993cdf4996d2d65463d7759cd479b (patch)
treecbef39a4779efed1c0ab3b61a9ff09e37fadb49e /include/security.php
parentbc02b933727da7a000d43d2d7d495f066616dc81 (diff)
parentac27db22c18ee7a82a52cbadb3efe2760b910499 (diff)
downloadvolse-hubzilla-2dbecf95454993cdf4996d2d65463d7759cd479b.tar.gz
volse-hubzilla-2dbecf95454993cdf4996d2d65463d7759cd479b.tar.bz2
volse-hubzilla-2dbecf95454993cdf4996d2d65463d7759cd479b.zip
Merge branch 'master' of https://github.com/habeascodice/red
Diffstat (limited to 'include/security.php')
-rw-r--r--include/security.php31
1 files changed, 17 insertions, 14 deletions
diff --git a/include/security.php b/include/security.php
index e83cc7061..8066a76f6 100644
--- a/include/security.php
+++ b/include/security.php
@@ -12,7 +12,7 @@ function authenticate_success($user_record, $login_initial = false, $interactive
$_SESSION['authenticated'] = 1;
if($login_initial || $update_lastlog) {
- q("update account set account_lastlog = '%s' where account_id = %d limit 1",
+ q("update account set account_lastlog = '%s' where account_id = %d",
dbesc(datetime_convert()),
intval($_SESSION['account_id'])
);
@@ -59,7 +59,7 @@ function authenticate_success($user_record, $login_initial = false, $interactive
/* This account has never created a channel. Send them to new_channel by default */
if($a->module === 'login') {
- $r = q("select count(channel_id) as total from channel where channel_account_id = %d and not ( channel_pageflags & %d)",
+ $r = q("select count(channel_id) as total from channel where channel_account_id = %d and not ( channel_pageflags & %d)>0",
intval($a->account['account_id']),
intval(PAGE_REMOVED)
);
@@ -76,7 +76,7 @@ function change_channel($change_channel) {
$ret = false;
if($change_channel) {
- $r = q("select channel.*, xchan.* from channel left join xchan on channel.channel_hash = xchan.xchan_hash where channel_id = %d and channel_account_id = %d and not ( channel_pageflags & %d) limit 1",
+ $r = q("select channel.*, xchan.* from channel left join xchan on channel.channel_hash = xchan.xchan_hash where channel_id = %d and channel_account_id = %d and not ( channel_pageflags & %d)>0 limit 1",
intval($change_channel),
intval(get_account_id()),
intval(PAGE_REMOVED)
@@ -86,7 +86,7 @@ function change_channel($change_channel) {
if (is_developer()) {
if (! $r) {
if (is_site_admin()) {
- $r = q("select channel.*, xchan.* from channel left join xchan on channel.channel_hash = xchan.xchan_hash where channel_id = %d and ( channel_pageflags & %d) and not (channel_pageflags & %d ) limit 1",
+ $r = q("select channel.*, xchan.* from channel left join xchan on channel.channel_hash = xchan.xchan_hash where channel_id = %d and ( channel_pageflags & %d) and not (channel_pageflags & %d )>0 limit 1",
intval($change_channel),
intval(PAGE_SYSTEM),
intval(PAGE_REMOVED)
@@ -174,9 +174,10 @@ function permissions_sql($owner_id,$remote_verified = false,$groups = null) {
foreach($groups as $g)
$gs .= '|<' . $g . '>';
}
+ $regexop = db_getfunc('REGEXP');
$sql = sprintf(
- " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
- AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
+ " AND ( NOT (deny_cid like '%s' OR deny_gid $regexop '%s')
+ AND ( allow_cid like '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '') )
)
",
dbesc(protect_sprintf( '%<' . $observer . '>%')),
@@ -204,7 +205,7 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null)
* default permissions - anonymous user
*/
- $sql = " AND not item_private ";
+ $sql = " AND item_private=0 ";
/**
@@ -235,10 +236,11 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null)
if(is_array($groups) && count($groups)) {
foreach($groups as $g)
$gs .= '|<' . $g . '>';
- }
+ }
+ $regexop = db_getfunc('REGEXP');
$sql = sprintf(
- " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
- AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
+ " AND ( NOT (deny_cid like '%s' OR deny_gid $regexop '%s')
+ AND ( allow_cid like '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '') )
)
",
dbesc(protect_sprintf( '%<' . $observer . '>%')),
@@ -264,9 +266,10 @@ function public_permissions_sql($observer_hash) {
}
$sql = '';
if($observer_hash) {
+ $regexop = db_getfunc('REGEXP');
$sql = sprintf(
- " OR (( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
- AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
+ " OR (( NOT (deny_cid like '%s' OR deny_gid $regexop '%s')
+ AND ( allow_cid like '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '') )
))
",
dbesc(protect_sprintf( '%<' . $observer_hash . '>%')),
@@ -375,7 +378,7 @@ function stream_perms_api_uids($perms = NULL ) {
$ret = array();
if(local_user())
$ret[] = local_user();
- $r = q("select channel_id from channel where channel_r_stream > 0 and (channel_r_stream & %d) and not (channel_pageflags & %d)",
+ $r = q("select channel_id from channel where channel_r_stream > 0 and (channel_r_stream & %d)>0 and not (channel_pageflags & %d)>0",
intval($perms),
intval(PAGE_CENSORED|PAGE_SYSTEM|PAGE_REMOVED)
);
@@ -402,7 +405,7 @@ function stream_perms_xchans($perms = NULL ) {
if(local_user())
$ret[] = get_observer_hash();
- $r = q("select channel_hash from channel where channel_r_stream > 0 and (channel_r_stream & %d) and not (channel_pageflags & %d)",
+ $r = q("select channel_hash from channel where channel_r_stream > 0 and (channel_r_stream & %d)>0 and not (channel_pageflags & %d)>0",
intval($perms),
intval(PAGE_CENSORED|PAGE_SYETEM|PAGE_REMOVED)
);