Merge branch 'master' into tres

Conflicts:
	view/css/mod_events.css
	view/theme/redbasic/css/style.css

13 files changed, 467 insertions, 53 deletions

diff --git a/include/attach.php b/include/attach.php
index ec79f47e5..cd8fe4f06 100644
--- a/include/attach.php
+++ b/include/attach.php
@@ -970,6 +970,30 @@ function file_activity($channel_id, $object, $allow_cid, $allow_gid, $deny_cid,
 
 	$poster = get_app()->get_observer();
 
+	//if we got no object something went wrong
+	if(!$object)
+		return;
+
+	$is_dir = (($object['flags'] & ATTACH_FLAG_DIR) ? true : false);
+
+	//do not send activity for folders for now
+	if($is_dir)
+		return;
+
+	//check for recursive perms if we are in a folder
+	if($object['folder']) {
+
+		$folder_hash = $object['folder'];
+
+		$r_perms = recursive_activity_recipients($allow_cid, $allow_gid, $deny_cid, $deny_gid, $folder_hash);
+
+		$allow_cid = perms2str($r_perms['allow_cid']);
+		$allow_gid = perms2str($r_perms['allow_gid']);
+		$deny_cid = perms2str($r_perms['deny_cid']);
+		$deny_gid = perms2str($r_perms['deny_gid']);
+
+	}
+
 	$mid = item_message_id();
 
 	$arr = array();
@@ -1124,7 +1148,132 @@ function get_file_activity_object($channel_id, $hash, $cloudpath) {
 		'created'	=> $x[0]['created'],
 		'edited'	=> $x[0]['edited']
 	);
-
 	return $object;
 
 }
+
+function recursive_activity_recipients($allow_cid, $allow_gid, $deny_cid, $deny_gid, $folder_hash) {
+
+	$poster = get_app()->get_observer();
+
+	$arr_allow_cid = expand_acl($allow_cid);
+	$arr_allow_gid = expand_acl($allow_gid);
+	$arr_deny_cid = expand_acl($deny_cid);
+	$arr_deny_gid = expand_acl($deny_gid);
+
+	$count = 0;
+	while($folder_hash) {
+		$x = q("SELECT allow_cid, allow_gid, deny_cid, deny_gid, folder FROM attach WHERE hash = '%s' LIMIT 1",
+			dbesc($folder_hash)
+		);
+
+		//only process private folders
+		if($x[0]['allow_cid'] || $x[0]['allow_gid'] || $x[0]['deny_cid'] || $x[0]['deny_gid']) {
+
+			$parent_arr['allow_cid'][] = expand_acl($x[0]['allow_cid']);
+			$parent_arr['allow_gid'][] = expand_acl($x[0]['allow_gid']);
+
+			//TODO: should find a much better solution for the allow_cid <-> allow_gid problem.
+			//Do not use allow_gid for now. Instead lookup the members of the group directly and add them to allow_cid.
+			if($parent_arr['allow_gid']) {
+				foreach($parent_arr['allow_gid'][$count] as $gid) {
+					$in_group = in_group($gid);
+					$parent_arr['allow_cid'][$count] = array_unique(array_merge($parent_arr['allow_cid'][$count], $in_group));
+				}
+			}
+
+			$parent_arr['deny_cid'][] = expand_acl($x[0]['deny_cid']);
+			$parent_arr['deny_gid'][] = expand_acl($x[0]['deny_gid']);
+
+			$count++;
+
+		}
+
+		$folder_hash = $x[0]['folder'];
+
+	}
+
+	//if none of the parent folders is private just return file perms
+	if(!$parent_arr['allow_cid'] && !$parent_arr['allow_gid'] && !$parent_arr['deny_cid'] && !$parent_arr['deny_gid']) {
+		$ret['allow_gid'] = $arr_allow_gid;
+		$ret['allow_cid'] = $arr_allow_cid;
+		$ret['deny_gid'] = $arr_deny_gid;
+		$ret['deny_cid'] = $arr_deny_cid;
+
+		return $ret;
+	}
+
+	//if there are no perms on the file we get them from the first parent folder
+	if(!$arr_allow_cid && !$arr_allow_gid && !$arr_deny_cid && !$arr_deny_gid) {
+		$arr_allow_cid = $parent_arr['allow_cid'][0];
+		$arr_allow_gid = $parent_arr['allow_gid'][0];
+		$arr_deny_cid = $parent_arr['deny_cid'][0];
+		$arr_deny_gid = $parent_arr['deny_gid'][0];
+	}
+
+	//allow_cid
+	$r_arr_allow_cid = false;
+	foreach ($parent_arr['allow_cid'] as $folder_arr_allow_cid) {
+		foreach ($folder_arr_allow_cid as $ac_hash) {
+			$count_values[$ac_hash]++;
+		}
+	}
+	foreach ($arr_allow_cid as $fac_hash) {
+		if($count_values[$fac_hash] == $count)
+			$r_arr_allow_cid[] = $fac_hash;
+	}
+
+	//allow_gid
+	$r_arr_allow_gid = false;
+	foreach ($parent_arr['allow_gid'] as $folder_arr_allow_gid) {
+		foreach ($folder_arr_allow_gid as $ag_hash) {
+			$count_values[$ag_hash]++;
+		}
+	}
+	foreach ($arr_allow_gid as $fag_hash) {
+		if($count_values[$fag_hash] == $count)
+			$r_arr_allow_gid[] = $fag_hash;
+	}
+
+	//deny_gid
+	foreach($parent_arr['deny_gid'] as $folder_arr_deny_gid) {
+		$r_arr_deny_gid = array_merge($arr_deny_gid, $folder_arr_deny_gid);
+	}
+	$r_arr_deny_gid = array_unique($r_arr_deny_gid);
+
+	//deny_cid
+	foreach($parent_arr['deny_cid'] as $folder_arr_deny_cid) {
+		$r_arr_deny_cid = array_merge($arr_deny_cid, $folder_arr_deny_cid);
+	}
+	$r_arr_deny_cid = array_unique($r_arr_deny_cid);
+
+	//if none is allowed restrict to self
+	if(($r_arr_allow_gid === false) && ($r_arr_allow_cid === false)) {
+		$ret['allow_cid'] = $poster['xchan_hash'];
+	} else {
+		$ret['allow_gid'] = $r_arr_allow_gid;
+		$ret['allow_cid'] = $r_arr_allow_cid;
+		$ret['deny_gid'] = $r_arr_deny_gid;
+		$ret['deny_cid'] = $r_arr_deny_cid;
+	}
+
+	return $ret;
+
+}
+
+function in_group($group_id) {
+	//TODO: make these two queries one with a join.
+	$x = q("SELECT id FROM groups WHERE hash = '%s'",
+		dbesc($group_id)
+	);
+
+	$r = q("SELECT xchan FROM group_member WHERE gid = %d",
+		intval($x[0]['id'])
+	);
+
+	foreach($r as $ig) {
+		$group_members[] = $ig['xchan'];
+	}
+
+	return $group_members;
+}
diff --git a/include/bbcode.php b/include/bbcode.php
index 7067fcd39..8f2b5bd38 100644
--- a/include/bbcode.php
+++ b/include/bbcode.php
@@ -216,7 +216,7 @@ function bb_ShareAttributes($match) {
 	$headline = '<div class="shared_container"> <div class="shared_header">';
 
 	if ($avatar != "")
-		$headline .= '<img src="' . $avatar . '" alt="' . $author . '" height="32" width="32" />';
+		$headline .= '<a href="' . zid($profile) . '" ><img src="' . $avatar . '" alt="' . $author . '" height="32" width="32" /></a>';
 
 	// Bob Smith wrote the following post 2 hours ago
 
diff --git a/include/conversation.php b/include/conversation.php
index a61f070a7..f76d3a27c 100644
--- a/include/conversation.php
+++ b/include/conversation.php
@@ -610,10 +610,6 @@ function conversation(&$a, $items, $mode, $update, $page_mode = 'traditional', $
 					$profile_link = zid($profile_link);
 
 				$normalised = normalise_link((strlen($item['author-link'])) ? $item['author-link'] : $item['url']);
-				if(x($a->contacts,$normalised))
-					$profile_avatar = $a->contacts[$normalised]['thumb'];
-				else
-					$profile_avatar = ((strlen($item['author-avatar'])) ? $a->get_cached_avatar_image($item['author-avatar']) : $item['thumb']);
 
 				$profile_name = $item['author']['xchan_name'];
 				$profile_link = $item['author']['xchan_url'];
@@ -1129,6 +1125,9 @@ function status_editor($a,$x,$popup=false) {
 	if(x($x,'nopreview'))
 		$preview = '';
 
+	$defexpire = ((($z = get_pconfig($x['profile_uid'],'system','default_post_expire')) && (! $webpage)) ? $z : '');
+
+
 	$cipher = get_pconfig($x['profile_uid'],'system','default_cipher');
 	if(! $cipher)
 		$cipher = 'aes256';
@@ -1186,7 +1185,7 @@ function status_editor($a,$x,$popup=false) {
 		'$preview' => $preview,
 		'$source' => ((x($x,'source')) ? $x['source'] : ''),
 		'$jotplugins' => $jotplugins,
-		'$defexpire' => '',
+		'$defexpire' => $defexpire,
 		'$feature_expire' => ((feature_enabled($x['profile_uid'],'content_expire') && (! $webpage)) ? true : false),
 		'$expires' => t('Set expiration date'),
 		'$feature_encrypt' => ((feature_enabled($x['profile_uid'],'content_encrypt') && (! $webpage)) ? true : false),
diff --git a/include/diaspora.php b/include/diaspora.php
index 447fd363a..518f6ccd1 100755
--- a/include/diaspora.php
+++ b/include/diaspora.php
@@ -35,19 +35,28 @@ function diaspora_dispatch_public($msg) {
 			logger('diaspora_public: delivering to: ' . $rr['channel_name'] . ' (' . $rr['channel_address'] . ') ');
 			diaspora_dispatch($rr,$msg);
 		}
-		if($sys)
-			diaspora_dispatch($sys,$msg);
 	}
-	else
-		logger('diaspora_public: no subscribers');
+	else {
+		if(! $sys)
+			logger('diaspora_public: no subscribers');
+	}
+
+	if($sys) {
+		$sys['system'] = true;
+		logger('diaspora_public: delivering to sys.');
+		diaspora_dispatch($sys,$msg);
+	}
 }
 
 
 
-function diaspora_dispatch($importer,$msg,$attempt=1) {
+function diaspora_dispatch($importer,$msg) {
 
 	$ret = 0;
 
+	if(! array_key_exists('system',$importer))
+		$importer['system'] = false;
+
 	$enabled = intval(get_config('system','diaspora_enabled'));
 	if(! $enabled) {
 		logger('mod-diaspora: disabled');
@@ -100,7 +109,7 @@ function diaspora_dispatch($importer,$msg,$attempt=1) {
 		$ret = diaspora_signed_retraction($importer,$xmlbase->relayable_retraction,$msg);
 	}
 	elseif($xmlbase->photo) {
-		$ret = diaspora_photo($importer,$xmlbase->photo,$msg,$attempt);
+		$ret = diaspora_photo($importer,$xmlbase->photo,$msg);
 	}
 	elseif($xmlbase->conversation) {
 		$ret = diaspora_conversation($importer,$xmlbase->conversation,$msg);
@@ -267,8 +276,6 @@ function diaspora_process_outbound($arr) {
 }
 
 
-
-
 function diaspora_handle_from_contact($contact_hash) {
 
 	logger("diaspora_handle_from_contact: contact id is " . $contact_hash, LOGGER_DEBUG);
@@ -286,11 +293,21 @@ function diaspora_get_contact_by_handle($uid,$handle) {
 
 	if(diaspora_is_blacklisted($handle))
 		return false;
+	require_once('include/identity.php');
+
+	$sys = get_sys_channel();
+	if(($sys) && ($sys['channel_id'] == $uid)) {
+		$r = q("SELECT * FROM xchan where xchan_addr = '%s' limit 1",
+			dbesc($handle)
+		);
+	}
+	else {
+		$r = q("SELECT * FROM abook left join xchan on xchan_hash = abook_xchan where xchan_addr = '%s' and abook_channel = %d limit 1",
+			dbesc($handle),
+			intval($uid)
+		);
+	}
 
-	$r = q("SELECT * FROM abook left join xchan on xchan_hash = abook_xchan where xchan_addr = '%s' and abook_channel = %d limit 1",
-		dbesc($handle),
-		intval($uid)
-	);
 	return (($r) ? $r[0] : false);
 }
 
@@ -783,7 +800,7 @@ function diaspora_post($importer,$xml,$msg) {
 	}
 
 
-	if(! perm_is_allowed($importer['channel_id'],$contact['xchan_hash'],'send_stream')) {
+	if((! $importer['system']) && (! perm_is_allowed($importer['channel_id'],$contact['xchan_hash'],'send_stream'))) {
 		logger('diaspora_post: Ignoring this author.');
 		return 202;
 	}
@@ -970,7 +987,7 @@ function diaspora_reshare($importer,$xml,$msg) {
 	if(! $contact)
 		return;
 
-	if(! perm_is_allowed($importer['channel_id'],$contact['xchan_hash'],'send_stream')) {
+	if((! $importer['system']) && (! perm_is_allowed($importer['channel_id'],$contact['xchan_hash'],'send_stream'))) {
 		logger('diaspora_reshare: Ignoring this author: ' . $diaspora_handle . ' ' . print_r($xml,true));
 		return 202;
 	}
@@ -1137,7 +1154,7 @@ function diaspora_asphoto($importer,$xml,$msg) {
 	if(! $contact)
 		return;
 
-	if(! perm_is_allowed($importer['channel_id'],$contact['xchan_hash'],'send_stream')) {
+	if((! $importer['system']) && (! perm_is_allowed($importer['channel_id'],$contact['xchan_hash'],'send_stream'))) {
 		logger('diaspora_asphoto: Ignoring this author.');
 		return 202;
 	}
@@ -1242,7 +1259,7 @@ function diaspora_comment($importer,$xml,$msg) {
 		return;
 	}
 
-	if(! perm_is_allowed($importer['channel_id'],$contact['xchan_hash'],'post_comments')) {
+	if((! $importer['system']) && (! perm_is_allowed($importer['channel_id'],$contact['xchan_hash'],'post_comments'))) {
 		logger('diaspora_comment: Ignoring this author.');
 		return 202;
 	}
@@ -1719,7 +1736,7 @@ function diaspora_message($importer,$xml,$msg) {
 }
 
 
-function diaspora_photo($importer,$xml,$msg,$attempt=1) {
+function diaspora_photo($importer,$xml,$msg) {
 
 	$a = get_app();
 
@@ -1747,7 +1764,7 @@ function diaspora_photo($importer,$xml,$msg,$attempt=1) {
 		return;
 	}
 
-	if(! perm_is_allowed($importer['channel_id'],$contact['xchan_hash'],'send_stream')) {
+	if((! $importer['system']) && (! perm_is_allowed($importer['channel_id'],$contact['xchan_hash'],'send_stream'))) {
 		logger('diaspora_photo: Ignoring this author.');
 		return 202;
 	}
@@ -1806,7 +1823,7 @@ function diaspora_like($importer,$xml,$msg) {
 	}
 
 
-	if(! perm_is_allowed($importer['channel_id'],$contact['xchan_hash'],'post_comments')) {
+	if((! $importer['system']) && (! perm_is_allowed($importer['channel_id'],$contact['xchan_hash'],'post_comments'))) {
 		logger('diaspora_like: Ignoring this author.');
 		return 202;
 	}
diff --git a/include/dir_fns.php b/include/dir_fns.php
index 86be8662c..b5ba296cf 100644
--- a/include/dir_fns.php
+++ b/include/dir_fns.php
@@ -216,6 +216,49 @@ function sync_directories($dirmode) {
 				);
 			}
 		}
+		if(count($j['ratings'])) {
+			foreach($j['ratings'] as $rr) {		
+				$x = q("select * from xlink where xlink_xchan = '%s' and xlink_link = '%s' and xlink_static = 1",
+					dbesc($rr['channel']),
+					dbesc($rr['target'])
+				);
+				if($x && $x[0]['xlink_updated'] >= $rr['edited'])
+					continue;
+				$y = q("select xchan_pubkey from xchan where xchan_hash = '%s' limit 1",
+					dbesc($rr['channel'])
+				);
+				if(! $y) {
+					logger('key unavailable on this site for ' . $rr['channel']);
+					continue;
+				}
+				if(! rsa_verify($rr['target'] . '.' . $rr['rating'] . '.' . $rr['rating_text'], base64url_decode($rr['signature']),$y[0]['xchan_pubkey'])) {
+			        logger('failed to verify rating');
+					continue;
+				}
+
+				if($x) {
+					$z = q("update xlink set xlink_rating = %d, xlink_rating_text = '%s', xlink_sig = '%s', xlink_updated = '%s' where xlink_id = %d",
+						intval($rr['rating']),
+						dbesc($rr['rating_text']),
+						dbesc($rr['signature']),
+						dbesc(datetime_convert()),
+						intval($x[0]['xlink_id'])
+	        		);
+			        logger('rating updated');
+    			}
+    			else {
+        			$z = q("insert into xlink ( xlink_xchan, xlink_link, xlink_rating, xlink_rating_text, xlink_sig, xlink_updated, xlink_static ) values( '%s', '%s', %d, '%s', '%s', 1 ) ",
+						dbesc($rr['channel']),
+						dbesc($rr['target']),
+						intval($rr['rating']),
+						dbesc($rr['rating_text']),
+						dbesc($rr['signature']),
+						dbesc(datetime_convert())
+					);
+					logger('rating created');
+				}
+			}
+		}
 	}
 }
 
diff --git a/include/identity.php b/include/identity.php
index f81d285c7..4a39070bd 100644
--- a/include/identity.php
+++ b/include/identity.php
@@ -941,6 +941,9 @@ logger('online: ' . $profile['online']);
 
 	$tpl = get_markup_template('profile_vcard.tpl');
 
+	require_once('include/widgets.php');
+	$z = widget_rating(array('target' => $profile['channel_hash']));
+
 	$o .= replace_macros($tpl, array(
 		'$profile'       => $profile,
 		'$connect'       => $connect,
@@ -952,6 +955,7 @@ logger('online: ' . $profile['online']);
 		'$homepage'      => $homepage,
 		'$chanmenu'      => $channel_menu,
 		'$diaspora'      => $diaspora,
+		'$rating'        => $z,
 		'$contact_block' => $contact_block,
 	));
 
diff --git a/include/items.php b/include/items.php
index f07b7a2e7..4608d5d55 100755
--- a/include/items.php
+++ b/include/items.php
@@ -4746,6 +4746,7 @@ function item_remove_cid($xchan_hash,$mid,$uid) {
 // Set item permissions based on results obtained from linkify_tags()
 function set_linkified_perms($linkified, &$str_contact_allow, &$str_group_allow, $profile_uid, $parent_item = false) {
 	$first_access_tag = true;
+
 	foreach($linkified as $x) {
 		$access_tag = $x['access_tag'];
 		if(($access_tag) && (! $parent_item)) {
diff --git a/include/js_strings.php b/include/js_strings.php
index f4c0a631d..56ffa9536 100644
--- a/include/js_strings.php
+++ b/include/js_strings.php
@@ -16,6 +16,10 @@ function js_strings() {
 		'$permschange' => t('Notice: Permissions have changed but have not yet been submitted.'),
 		'$closeAll'    => t('close all'),
 		'$nothingnew'  => t('Nothing new here'),
+		'$rating_desc' => t('Rate This Channel (this is public)'),
+		'$rating_val'  => t('Rating'),
+		'$rating_text' => t('Describe (optional)'),
+		'$submit'      => t('Submit'),
 
 		'$t01' => ((t('timeago.prefixAgo') != 'timeago.prefixAgo') ? t('timeago.prefixAgo') : ''),
 		'$t02' => ((t('timeago.prefixFromNow') != 'timeago.prefixFromNow') ? t('timeago.prefixFromNow') : ''),
diff --git a/include/notifier.php b/include/notifier.php
index 303e3485b..174df7120 100644
--- a/include/notifier.php
+++ b/include/notifier.php
@@ -295,15 +295,6 @@ function notifier_run($argv, $argc){
 		$private = false;
 		$packet_type = 'purge';
 	}
-	elseif($cmd === 'rating') {
-		$r = q("select * from xlink where xlink_id = %d and xlink_static = 1 limit 1",
-			intval($item_id)
-		);
-		if($r) {
-			logger('rating message: ' . print_r($r[0],true));
-			return;
-		}
-	}
 	else {
 
 		// Normal items
@@ -483,11 +474,6 @@ function notifier_run($argv, $argc){
 	// Now we have collected recipients (except for external mentions, FIXME)
 	// Let's reduce this to a set of hubs.
 
-	
-	// for public posts always include our own hub
-// this shouldn't be needed any more. collect_recipients should take care of it.
-//	$sql_extra = (($private) ? "" : " or hubloc_url = '" . dbesc(z_root()) . "' ");
-
 	logger('notifier: hub choice: ' . intval($relay_to_owner) . ' ' . intval($private) . ' ' . $cmd, LOGGER_DEBUG);
 
 	if($relay_to_owner && (! $private) && ($cmd !== 'relay')) {
diff --git a/include/ratenotif.php b/include/ratenotif.php
new file mode 100644
index 000000000..4fa0077a6
--- /dev/null
+++ b/include/ratenotif.php
@@ -0,0 +1,124 @@
+<?php
+
+require_once('include/cli_startup.php');
+require_once('include/zot.php');
+require_once('include/queue_fn.php');
+
+
+function ratenotif_run($argv, $argc){
+
+	cli_startup();
+
+	$a = get_app();
+
+	require_once("session.php");
+	require_once("datetime.php");
+	require_once('include/items.php');
+	require_once('include/Contact.php');
+
+	if($argc < 3)
+		return;
+
+
+	logger('ratenotif: invoked: ' . print_r($argv,true), LOGGER_DEBUG);
+
+	$cmd = $argv[1];
+
+	$item_id = $argv[2];
+
+
+	if($cmd === 'rating') {
+		$r = q("select * from xlink where xlink_id = %d and xlink_static = 1 limit 1",
+			intval($item_id)
+		);
+		if(! $r) {
+			logger('rating not found');
+			return;
+		}
+
+		$encoded_item = array(
+			'type' => 'rating', 
+			'encoding' => 'zot',
+			'target' => $r[0]['xlink_link'],
+			'rating' => intval($r[0]['xlink_rating']),
+			'rating_text' => $r[0]['xlink_rating_text'],
+			'signature' => $r[0]['xlink_sig'],
+			'edited' => $r[0]['xlink_updated']
+		);
+	}
+
+	$channel = channelx_by_hash($r[0]['xlink_xchan']);
+	if(! $channel) {
+		logger('no channel');
+		return;
+	}
+
+
+	$primary = get_directory_primary();
+
+	if(! $primary)
+		return;
+
+
+	$interval = ((get_config('system','delivery_interval') !== false) 
+		? intval(get_config('system','delivery_interval')) : 2 );
+
+	$deliveries_per_process = intval(get_config('system','delivery_batch_count'));
+
+	if($deliveries_per_process <= 0)
+		$deliveries_per_process = 1;
+
+	$deliver = array();
+
+	$x = z_fetch_url($primary . '/regdir');
+	if($x['success']) {
+		$j = json_decode($x['body'],true);
+		if($j && $j['success'] && is_array($j['directories'])) {
+
+			foreach($j['directories'] as $h) {
+//				if($h == z_root())
+//					continue;
+
+				$hash = random_string();
+				$n = zot_build_packet($channel,'notify',null,null,$hash);
+
+				q("insert into outq ( outq_hash, outq_account, outq_channel, outq_driver, outq_posturl, outq_async, outq_created, outq_updated, outq_notify, outq_msg ) values ( '%s', %d, %d, '%s', '%s', %d, '%s', '%s', '%s', '%s' )",
+					dbesc($hash),
+					intval($channel['channel_account_id']),
+					intval($channel['channel_id']),
+					dbesc('zot'),
+					dbesc($h . '/post'),
+					intval(1),
+					dbesc(datetime_convert()),
+					dbesc(datetime_convert()),
+					dbesc($n),
+					dbesc(json_encode($encoded_item))
+				);
+			}
+			$deliver[] = $hash;
+
+			if(count($deliver) >= $deliveries_per_process) {
+				proc_run('php','include/deliver.php',$deliver);
+				$deliver = array();
+				if($interval)
+					@time_sleep_until(microtime(true) + (float) $interval);
+			}
+
+
+			// catch any stragglers
+
+			if(count($deliver)) {
+			proc_run('php','include/deliver.php',$deliver);
+			}
+		}
+	}
+		
+	logger('ratenotif: complete.');
+	return;
+
+}
+
+if (array_search(__file__,get_included_files())===0){
+  ratenotif_run($argv,$argc);
+  killme();
+}
diff --git a/include/text.php b/include/text.php
index 6c3bb3017..1689dbef7 100644
--- a/include/text.php
+++ b/include/text.php
@@ -1945,9 +1945,9 @@ function find_xchan_in_array($xchan,$arr) {
 }
 
 function get_rel_link($j,$rel) {
-	if(count($j))
+	if(is_array($j) && ($j))
 		foreach($j as $l)
-			if($l['rel'] === $rel)
+			if(array_key_exists('rel',$j) && $l['rel'] === $rel && array_key_exists('href',$l))
 				return $l['href'];
 
 	return '';
@@ -2296,6 +2296,7 @@ function handle_tag($a, &$body, &$access_tag, &$str_tags, $profile_uid, $tag) {
 			}
 		}
 		else {
+
 			// check for a group/collection exclusion tag			
 
 			// note that we aren't setting $replaced even though we're replacing text.
@@ -2356,6 +2357,8 @@ function linkify_tags($a, &$body, $uid) {
 	$tags = get_tags($body);
 	if(count($tags)) {
 		foreach($tags as $tag) {
+			$access_tag = '';
+
 			// If we already tagged 'Robert Johnson', don't try and tag 'Robert'.
 			// Robert Johnson should be first in the $tags array
 
diff --git a/include/widgets.php b/include/widgets.php
index 882e21f1c..7cc9fc708 100644
--- a/include/widgets.php
+++ b/include/widgets.php
@@ -903,3 +903,63 @@ function widget_random_block($arr) {
 
 	return $o;
 }
+
+
+function widget_rating($arr) {
+	$a = get_app();
+
+	$poco_rating = get_config('system','poco_rating_enable');
+	if((! $poco_rating) && ($poco_rating !== false)) {
+		return;
+	}
+
+	if($arr['target'])
+		$hash = $arr['target'];
+	else
+		$hash = $a->poi['xchan_hash'];
+
+	if(! $hash)
+		return;
+
+	$url = '';
+	$remote = false;
+
+	if(remote_channel() && ! local_channel()) {
+		$ob = $a->get_observer();
+		if($ob && $ob['xchan_url']) {
+			$p = parse_url($ob['xchan_url']);
+			if($p) {
+				$url = $p['scheme'] . '://' . $p['host'] . (($p['port']) ? ':' . $p['port'] : '');
+				$url .= '/rate?f=&target=' . urlencode($hash);
+			}
+			$remote = true;
+		}
+	}
+
+	$self = false;
+
+	if(local_channel()) {
+		$channel = $a->get_channel();
+
+		if($hash == $channel['channel_hash'])
+			$self = true;
+
+		head_add_js('ratings.js');
+
+	}
+
+	if((($remote) || (local_channel())) && (! $self)) {
+		$o = '<div class="widget rateme">';
+		if($remote)
+			$o .= '<a class="rateme" href="' . $url . '"><i class="icon-pencil"></i> ' . t('Rate Me') . '</a>';
+		else
+			$o .= '<div class="rateme fakelink" onclick="doRatings(\'' . $hash . '\'); return false;"><i class="icon-pencil"></i> ' . t('Rate Me') . '</div>';
+		$o .= '</div>';
+	}
+
+	$o .= '<div class="widget rateme"><a class="rateme" href="ratings/' . $hash . '"><i class="icon-eye-open"></i> ' . t('View Ratings') . '</a>';
+	$o .= '</div>';
+
+	return $o;
+
+}
diff --git a/include/zot.php b/include/zot.php
index ed8f1e72e..b654a1b86 100644
--- a/include/zot.php
+++ b/include/zot.php
@@ -418,7 +418,7 @@ function zot_refresh($them,$channel = null, $force = false) {
 					where abook_xchan = '%s' and abook_channel = %d 
 					and not (abook_flags & %d) > 0 ",
 					intval($their_perms),
-					dbesc($next_birthday),
+					dbescdate($next_birthday),
 					dbesc($x['hash']),
 					intval($channel['channel_id']),
 					intval(ABOOK_FLAG_SELF)
@@ -1067,6 +1067,11 @@ function zot_import($arr, $sender_url) {
 
 	if(is_array($incoming)) {
 		foreach($incoming as $i) {
+			if(! is_array($i)) {
+				logger('incoming is not an array');
+				continue;
+			}
+
 			$result = null;
 
 			if(array_key_exists('iv',$i['notify'])) {
@@ -1091,7 +1096,8 @@ function zot_import($arr, $sender_url) {
 			if(array_key_exists('message',$i) && array_key_exists('type',$i['message']) && $i['message']['type'] === 'rating') {
 				// rating messages are processed only by directory servers
 				logger('Rating received: ' . print_r($arr,true), LOGGER_DATA);
-				$result = process_rating_delivery($i['notify']['sender'],$arr);
+				$result = process_rating_delivery($i['notify']['sender'],$i['message']);
+				continue;
 			}
 
 			if(array_key_exists('recipients',$i['notify']) && count($i['notify']['recipients'])) {
@@ -1793,34 +1799,52 @@ function process_mail_delivery($sender,$arr,$deliveries) {
 
 function process_rating_delivery($sender,$arr) {
 
-	$dirmode = intval(get_config('system','directory_mode'));
-	if($dirmode == DIRECTORY_MODE_NORMAL)
-		return;
+	logger('process_rating_delivery: ' . print_r($arr,true));
 
 	if(! $arr['target'])
 		return;
 
-	$r = q("select * from xlink where xlink_xchan = '%s' and xlink_target = '%s' limit 1",
+	$z = q("select xchan_pubkey from xchan where xchan_hash = '%s' limit 1",
+		dbesc($sender['hash'])
+	);
+
+
+	if((! $z) || (! rsa_verify($arr['target'] . '.' . $arr['rating'] . '.' . $arr['rating_text'], base64url_decode($arr['signature']),$z[0]['xchan_pubkey']))) {
+		logger('failed to verify rating');
+		return;
+	}
+
+	$r = q("select * from xlink where xlink_xchan = '%s' and xlink_link = '%s' and xlink_static = 1 limit 1",
 		dbesc($sender['hash']),
 		dbesc($arr['target'])
-	);		
+	);	
+	
 	if($r) {
-		$x = q("update xlink set xlink_rating = %d, xlink_rating_text = '%s', xlink_updated = '%s' where xlink_id = %d",
+		if($r[0]['xlink_updated'] >= $arr['edited']) {
+			logger('rating message duplicate');
+			return;
+		}
+
+		$x = q("update xlink set xlink_rating = %d, xlink_rating_text = '%s', xlink_sig = '%s', xlink_updated = '%s' where xlink_id = %d",
 			intval($arr['rating']),
-			intval($arr['rating_text']),
+			dbesc($arr['rating_text']),
+			dbesc($arr['signature']),
 			dbesc(datetime_convert()),
 			intval($r[0]['xlink_id'])
 		);
+		logger('rating updated');
 	}
 	else {
-		$x = q("insert into xlink ( xlink_xchan, xlink_link, xlink_rating, xlink_rating_text, xlink_updated, xlink_static )
+		$x = q("insert into xlink ( xlink_xchan, xlink_link, xlink_rating, xlink_rating_text, xlink_sig, xlink_updated, xlink_static )
 			values( '%s', '%s', %d, '%s', '%s', 1 ) ",
 			dbesc($sender['hash']),
 			dbesc($arr['target']),
 			intval($arr['rating']),
-			intval($arr['rating_text']),
+			dbesc($arr['rating_text']),
+			dbesc($arr['signature']),
 			dbesc(datetime_convert())
 		);
+		logger('rating created');
 	}
 	return;
 }