aboutsummaryrefslogtreecommitdiffstats
path: root/include/zot.php
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2013-09-12 20:11:56 -0700
committerfriendica <info@friendica.com>2013-09-12 20:11:56 -0700
commit3a2d11bde1581b8ee1e2a07c04370ce9eae9ea55 (patch)
treecf611e18d43e0960fcbc9741e0f6a35a5fb12e28 /include/zot.php
parent037fd43fbde829cf4911d7500043f3befa5e99b2 (diff)
downloadvolse-hubzilla-3a2d11bde1581b8ee1e2a07c04370ce9eae9ea55.tar.gz
volse-hubzilla-3a2d11bde1581b8ee1e2a07c04370ce9eae9ea55.tar.bz2
volse-hubzilla-3a2d11bde1581b8ee1e2a07c04370ce9eae9ea55.zip
so public_recips and allowed_public_recips is working so much better than before, but was still not quite right. We seem to be getting all the right results for top-level posts now, but comments aren't getting through on channels for which we've allowed them to send us their stream, but not comment on our posts. The reason is we were seeing if they could comment - and we only need to do that if we own the post. If they own the post, we only need to check if they can send us their stream.
Diffstat (limited to 'include/zot.php')
-rw-r--r--include/zot.php16
1 files changed, 12 insertions, 4 deletions
diff --git a/include/zot.php b/include/zot.php
index cdbfd2185..e395e88f6 100644
--- a/include/zot.php
+++ b/include/zot.php
@@ -926,14 +926,22 @@ function public_recips($msg) {
$check_mentions = false;
if($msg['message']['type'] === 'activity') {
+ $col = 'channel_w_stream';
+ $field = PERMS_W_STREAM;
if(array_key_exists('flags',$msg['message']) && in_array('thread_parent', $msg['message']['flags'])) {
- $col = 'channel_w_stream';
- $field = PERMS_W_STREAM;
+ // check mention recipient permissions on top level posts only
$check_mentions = true;
}
else {
- $col = 'channel_w_comment';
- $field = PERMS_W_COMMENT;
+ // if this is a comment and it wasn't sent by the post owner, check to see who is allowing them to comment.
+ // We should have one specific recipient and this step shouldn't be needed unless somebody stuffed up their software.
+ // We may need this step to protect us from bad guys intentionally stuffing up their software.
+ // If it is sent by the post owner, we don't need to do this. We only need to see who is receiving the
+ // owner's stream (which was already set above) - as they control the comment permissions
+ if($msg['notify']['sender']['guid_sig'] != $msg['message']['owner']['guid_sig']) {
+ $col = 'channel_w_comment';
+ $field = PERMS_W_COMMENT;
+ }
}
}
elseif($msg['message']['type'] === 'mail') {