diff options
author | Mario <mario@mariovavti.com> | 2024-09-19 06:59:27 +0000 |
---|---|---|
committer | Mario <mario@mariovavti.com> | 2024-09-19 06:59:27 +0000 |
commit | 39ee872f49855cae679a0c5c2747b24bf5d12082 (patch) | |
tree | 0a981edf4cd3d1e1e0e40c264300fb0566f46972 /include/security.php | |
parent | a7c51f5d654cca2a3c637006de09836ee3f9dfc4 (diff) | |
download | volse-hubzilla-39ee872f49855cae679a0c5c2747b24bf5d12082.tar.gz volse-hubzilla-39ee872f49855cae679a0c5c2747b24bf5d12082.tar.bz2 volse-hubzilla-39ee872f49855cae679a0c5c2747b24bf5d12082.zip |
prefer token if available
Diffstat (limited to 'include/security.php')
-rw-r--r-- | include/security.php | 30 |
1 files changed, 14 insertions, 16 deletions
diff --git a/include/security.php b/include/security.php index 93d951687..4b072cf92 100644 --- a/include/security.php +++ b/include/security.php @@ -321,6 +321,7 @@ function change_channel($change_channel) { function permissions_sql($owner_id, $remote_observer = null, $table = '', $token = EMPTY_STR) { $local_channel = local_channel(); + $observer = $remote_observer ?? get_observer_hash(); /** * Construct permissions @@ -344,15 +345,22 @@ function permissions_sql($owner_id, $remote_observer = null, $table = '', $token if (($local_channel) && ($local_channel == $owner_id)) { return EMPTY_STR; } - /** - * Authenticated visitor. - */ - else { - $observer = ((!is_null($remote_observer)) ? $remote_observer : get_observer_hash()); + /* + * OCAP token access + */ - if ($observer) { + if ($token) { + $sql = " AND ( {$table}allow_cid like '" . protect_sprintf('%<token:' . $token . '>%') . + "' OR ( {$table}allow_cid = '' AND {$table}allow_gid = '' AND {$table}deny_cid = '' AND {$table}deny_gid = '' ) )"; + } + + /** + * Authenticated visitor. + */ + + elseif ($observer) { $sec = get_security_ids($owner_id, $observer); @@ -400,16 +408,6 @@ function permissions_sql($owner_id, $remote_observer = null, $table = '', $token dbesc($gs) ); } - - /* - * OCAP token access - */ - - elseif ($token) { - $sql = " AND ( {$table}allow_cid like '" . protect_sprintf('%<token:' . $token . '>%') . - "' OR ( {$table}allow_cid = '' AND {$table}allow_gid = '' AND {$table}deny_cid = '' AND {$table}deny_gid = '' ) )"; - } - } return $sql; |