aboutsummaryrefslogtreecommitdiffstats
path: root/include/security.php
diff options
context:
space:
mode:
authorMario <mario@mariovavti.com>2023-06-01 10:15:35 +0000
committerMario <mario@mariovavti.com>2023-06-01 10:15:35 +0000
commit4b17ea04a75eba037d5ad5bc2aeffaadddfcfa04 (patch)
tree5fdbeb5ea43c2f59496d42c3681c81af3184239e /include/security.php
parent423fdc0a9618e322636a5291ed92df00115fafb0 (diff)
downloadvolse-hubzilla-4b17ea04a75eba037d5ad5bc2aeffaadddfcfa04.tar.gz
volse-hubzilla-4b17ea04a75eba037d5ad5bc2aeffaadddfcfa04.tar.bz2
volse-hubzilla-4b17ea04a75eba037d5ad5bc2aeffaadddfcfa04.zip
add owner and author to item_permissions_sql()
Diffstat (limited to 'include/security.php')
-rw-r--r--include/security.php13
1 files changed, 10 insertions, 3 deletions
diff --git a/include/security.php b/include/security.php
index de9f1f337..2fbe1da1a 100644
--- a/include/security.php
+++ b/include/security.php
@@ -490,12 +490,19 @@ function item_permissions_sql($owner_id, $remote_observer = null) {
$gs = '<<>>'; // should be impossible to match
}
+ // This function is often called without an $owner_id in places where this could not be
+ // determined in advance. The ACL fields will usually not contain the original author or owner
+ // so we will also check for author_xchan and owner_xchan to account for this ACL deficiency.
+
$regexop = db_getfunc('REGEXP');
$sql = sprintf(
- " AND (( NOT (deny_cid $regexop '%s' OR deny_gid $regexop '%s')
- AND ( allow_cid $regexop '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '' AND item_private = 0 ))
- ) OR ( item_private = 1 $scope ))
+ " AND ( author_xchan = '%s' OR owner_xchan = '%s' OR
+ (( NOT (deny_cid $regexop '%s' OR deny_gid $regexop '%s')
+ AND ( allow_cid $regexop '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '' AND item_private = 0 ))
+ )))
",
+ dbesc($observer),
+ dbesc($observer),
dbesc($cs),
dbesc($gs),
dbesc($cs),