diff options
author | Mario Vavti <mario@mariovavti.com> | 2016-08-03 21:17:08 +0200 |
---|---|---|
committer | Mario Vavti <mario@mariovavti.com> | 2016-08-03 21:17:08 +0200 |
commit | b959641ca82d45f641a803b58dcfb91a90274956 (patch) | |
tree | fa658a7f3a8ab4f862e503ad2113fc24bffd0304 /include/security.php | |
parent | c50bfa07ca3a456d69d73988f42e58e3282879e9 (diff) | |
parent | 416adeb169f16fd25f7dbf54232451d8647cc999 (diff) | |
download | volse-hubzilla-b959641ca82d45f641a803b58dcfb91a90274956.tar.gz volse-hubzilla-b959641ca82d45f641a803b58dcfb91a90274956.tar.bz2 volse-hubzilla-b959641ca82d45f641a803b58dcfb91a90274956.zip |
Merge branch 'dev' of https://github.com/redmatrix/hubzilla into dev
Diffstat (limited to 'include/security.php')
-rw-r--r-- | include/security.php | 102 |
1 files changed, 101 insertions, 1 deletions
diff --git a/include/security.php b/include/security.php index c67a1b400..83bf51bc0 100644 --- a/include/security.php +++ b/include/security.php @@ -108,6 +108,7 @@ function atoken_xchan($atoken) { 'xchan_name' => $atoken['atoken_name'], 'xchan_addr' => t('guest:') . $atoken['atoken_name'] . '@' . \App::get_hostname(), 'xchan_network' => 'unknown', + 'xchan_url' => z_root(), 'xchan_hidden' => 1, 'xchan_photo_mimetype' => 'image/jpeg', 'xchan_photo_l' => get_default_profile_photo(300), @@ -119,6 +120,105 @@ function atoken_xchan($atoken) { return null; } +function atoken_delete($atoken_id) { + + $r = q("select * from atoken where atoken_id = %d", + intval($atoken_id) + ); + if(! $r) + return; + + $c = q("select channel_id, channel_hash from channel where channel_id = %d", + intval($r[0]['atoken_uid']) + ); + if(! $c) + return; + + $atoken_xchan = substr($c[0]['channel_hash'],0,16) . '.' . $r[0]['atoken_name']; + + q("delete from atoken where atoken_id = %d", + intval($atoken_id) + ); + q("delete from abconfig where chan = %d and xchan = '%s'", + intval($c[0]['channel_id']), + dbesc($atoken_xchan) + ); +} + + + +// in order for atoken logins to create content (such as posts) they need a stored xchan. +// we'll create one on the first atoken_login; it can't really ever go away but perhaps +// @fixme we should set xchan_deleted if it's expired or removed + +function atoken_create_xchan($xchan) { + + $r = q("select xchan_hash from xchan where xchan_hash = '%s'", + dbesc($xchan['xchan_hash']) + ); + if($r) + return; + + $r = q("insert into xchan ( xchan_hash, xchan_guid, xchan_addr, xchan_url, xchan_name, xchan_network, xchan_photo_mimetype, xchan_photo_l, xchan_photo_m, xchan_photo_s ) + values ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s') ", + dbesc($xchan['xchan_hash']), + dbesc($xchan['xchan_hash']), + dbesc($xchan['xchan_addr']), + dbesc($xchan['xchan_url']), + dbesc($xchan['xchan_name']), + dbesc($xchan['xchan_network']), + dbesc($xchan['xchan_photo_mimetype']), + dbesc($xchan['xchan_photo_l']), + dbesc($xchan['xchan_photo_m']), + dbesc($xchan['xchan_photo_s']) + ); + + return true; +} + +function atoken_abook($uid,$xchan_hash) { + + if(substr($xchan_hash,16,1) != '.') + return false; + + $r = q("select channel_hash from channel where channel_id = %d limit 1", + intval($uid) + ); + + if(! $r) + return false; + + $x = q("select * from atoken where atoken_uid = %d and atoken_name = '%s'", + intval($uid), + dbesc(substr($xchan_hash,17)) + ); + + if($x) { + $xchan = atoken_xchan($x[0]); + $xchan['abook_blocked'] = 0; + $xchan['abook_ignored'] = 0; + $xchan['abook_pending'] = 0; + return $xchan; + } + + return false; + +} + + +function pseudo_abook($xchan) { + if(! $xchan) + return false; + + // set abook_pseudo to flag that we aren't really connected. + + $xchan['abook_pseudo'] = 1; + $xchan['abook_blocked'] = 0; + $xchan['abook_ignored'] = 0; + $xchan['abook_pending'] = 0; + return $xchan; + +} /** @@ -396,7 +496,7 @@ function public_permissions_sql($observer_hash) { * In this implementation, a security token is reusable (if the user submits a form, goes back and resubmits the form, maybe with small changes; * or if the security token is used for ajax-calls that happen several times), but only valid for a certain amout of time (3hours). * The "typename" seperates the security tokens of different types of forms. This could be relevant in the following case: - * A security token is used to protekt a link from CSRF (e.g. the "delete this profile"-link). + * A security token is used to protekt a link from CSRF (e.g. the "delete this profile"-link). * If the new page contains by any chance external elements, then the used security token is exposed by the referrer. * Actually, important actions should not be triggered by Links / GET-Requests at all, but somethimes they still are, * so this mechanism brings in some damage control (the attacker would be able to forge a request to a form of this type, but not to forms of other types). |