aboutsummaryrefslogtreecommitdiffstats
path: root/include/security.php
diff options
context:
space:
mode:
authorMario <mario@mariovavti.com>2024-09-19 06:59:27 +0000
committerMario <mario@mariovavti.com>2024-09-19 06:59:27 +0000
commit39ee872f49855cae679a0c5c2747b24bf5d12082 (patch)
tree0a981edf4cd3d1e1e0e40c264300fb0566f46972 /include/security.php
parenta7c51f5d654cca2a3c637006de09836ee3f9dfc4 (diff)
downloadvolse-hubzilla-39ee872f49855cae679a0c5c2747b24bf5d12082.tar.gz
volse-hubzilla-39ee872f49855cae679a0c5c2747b24bf5d12082.tar.bz2
volse-hubzilla-39ee872f49855cae679a0c5c2747b24bf5d12082.zip
prefer token if available
Diffstat (limited to 'include/security.php')
-rw-r--r--include/security.php30
1 files changed, 14 insertions, 16 deletions
diff --git a/include/security.php b/include/security.php
index 93d951687..4b072cf92 100644
--- a/include/security.php
+++ b/include/security.php
@@ -321,6 +321,7 @@ function change_channel($change_channel) {
function permissions_sql($owner_id, $remote_observer = null, $table = '', $token = EMPTY_STR) {
$local_channel = local_channel();
+ $observer = $remote_observer ?? get_observer_hash();
/**
* Construct permissions
@@ -344,15 +345,22 @@ function permissions_sql($owner_id, $remote_observer = null, $table = '', $token
if (($local_channel) && ($local_channel == $owner_id)) {
return EMPTY_STR;
}
- /**
- * Authenticated visitor.
- */
-
else {
- $observer = ((!is_null($remote_observer)) ? $remote_observer : get_observer_hash());
+ /*
+ * OCAP token access
+ */
- if ($observer) {
+ if ($token) {
+ $sql = " AND ( {$table}allow_cid like '" . protect_sprintf('%<token:' . $token . '>%') .
+ "' OR ( {$table}allow_cid = '' AND {$table}allow_gid = '' AND {$table}deny_cid = '' AND {$table}deny_gid = '' ) )";
+ }
+
+ /**
+ * Authenticated visitor.
+ */
+
+ elseif ($observer) {
$sec = get_security_ids($owner_id, $observer);
@@ -400,16 +408,6 @@ function permissions_sql($owner_id, $remote_observer = null, $table = '', $token
dbesc($gs)
);
}
-
- /*
- * OCAP token access
- */
-
- elseif ($token) {
- $sql = " AND ( {$table}allow_cid like '" . protect_sprintf('%<token:' . $token . '>%') .
- "' OR ( {$table}allow_cid = '' AND {$table}allow_gid = '' AND {$table}deny_cid = '' AND {$table}deny_gid = '' ) )";
- }
-
}
return $sql;