aboutsummaryrefslogtreecommitdiffstats
path: root/include/security.php
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2013-07-30 19:43:46 -0700
committerfriendica <info@friendica.com>2013-07-30 19:43:46 -0700
commit41c411739fcb92edfca673106800741eef413c86 (patch)
treec6e11e32a4bf9a474c5549fe272bddb4546661d0 /include/security.php
parentcb4d61e092e9e27c3753f60dd0a3757855279bbf (diff)
downloadvolse-hubzilla-41c411739fcb92edfca673106800741eef413c86.tar.gz
volse-hubzilla-41c411739fcb92edfca673106800741eef413c86.tar.bz2
volse-hubzilla-41c411739fcb92edfca673106800741eef413c86.zip
attachment permissions not right
Diffstat (limited to 'include/security.php')
-rw-r--r--include/security.php82
1 files changed, 44 insertions, 38 deletions
diff --git a/include/security.php b/include/security.php
index 29a0fc0bc..ef4d5a313 100644
--- a/include/security.php
+++ b/include/security.php
@@ -205,26 +205,29 @@ function permissions_sql($owner_id,$remote_verified = false,$groups = null) {
else {
- $observer = get_app()->get_observer();
- $groups = init_groups_visitor($remote_user);
-
- $gs = '<<>>'; // should be impossible to match
-
- if(is_array($groups) && count($groups)) {
- foreach($groups as $g)
- $gs .= '|<' . $g . '>';
- }
- $sql = sprintf(
- " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
- AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
- )
- ",
- dbesc(protect_sprintf( '%<' . $remote_user . '>%')),
- dbesc($gs),
- dbesc(protect_sprintf( '%<' . $remote_user . '>%')),
- dbesc($gs)
- );
+ $observer = get_observer_hash();
+ if($observer) {
+ $groups = init_groups_visitor($observer);
+
+ $gs = '<<>>'; // should be impossible to match
+
+ if(is_array($groups) && count($groups)) {
+ foreach($groups as $g)
+ $gs .= '|<' . $g . '>';
+ }
+ $sql = sprintf(
+ " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
+ AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
+ )
+ ",
+ dbesc(protect_sprintf( '%<' . $observer . '>%')),
+ dbesc($gs),
+ dbesc(protect_sprintf( '%<' . $observer . '>%')),
+ dbesc($gs)
+ );
+ }
}
+
return $sql;
}
@@ -260,25 +263,28 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null)
else {
- $observer = get_app()->get_observer();
- $groups = init_groups_visitor($remote_user);
-
- $gs = '<<>>'; // should be impossible to match
-
- if(is_array($groups) && count($groups)) {
- foreach($groups as $g)
- $gs .= '|<' . $g . '>';
- }
- $sql = sprintf(
- " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
- AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
- )
- ",
- dbesc(protect_sprintf( '%<' . $remote_user . '>%')),
- dbesc($gs),
- dbesc(protect_sprintf( '%<' . $remote_user . '>%')),
- dbesc($gs)
- );
+ $observer = get_observer_hash();
+
+ if($observer) {
+ $groups = init_groups_visitor($observer);
+
+ $gs = '<<>>'; // should be impossible to match
+
+ if(is_array($groups) && count($groups)) {
+ foreach($groups as $g)
+ $gs .= '|<' . $g . '>';
+ }
+ $sql = sprintf(
+ " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
+ AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
+ )
+ ",
+ dbesc(protect_sprintf( '%<' . $observer . '>%')),
+ dbesc($gs),
+ dbesc(protect_sprintf( '%<' . $observer . '>%')),
+ dbesc($gs)
+ );
+ }
}
return $sql;
}