aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorzotlabs <mike@macgirvin.com>2018-04-30 22:30:59 -0700
committerzotlabs <mike@macgirvin.com>2018-04-30 22:30:59 -0700
commit32423a7706c45d0d7187444f50eac33ca4fdfaa0 (patch)
treed96a5b4e1751b0918a20975af5903155c15dbfea /include
parente841e482589cfc8f9734e313350b6e2b78ea6940 (diff)
downloadvolse-hubzilla-32423a7706c45d0d7187444f50eac33ca4fdfaa0.tar.gz
volse-hubzilla-32423a7706c45d0d7187444f50eac33ca4fdfaa0.tar.bz2
volse-hubzilla-32423a7706c45d0d7187444f50eac33ca4fdfaa0.zip
parent folder permissions weren't being checked back to the cloud root directory in all cases
Diffstat (limited to 'include')
-rw-r--r--include/attach.php39
1 files changed, 26 insertions, 13 deletions
diff --git a/include/attach.php b/include/attach.php
index 27bf0218a..0d2b43b58 100644
--- a/include/attach.php
+++ b/include/attach.php
@@ -266,14 +266,12 @@ function attach_by_hash($hash, $observer_hash, $rev = 0) {
return $ret;
}
- if(! perm_is_allowed($r[0]['uid'], $observer_hash, 'view_storage')) {
+ if(! attach_can_view($r[0]['uid'], $observer_hash, $hash)) {
$ret['message'] = t('Permission denied.');
return $ret;
}
- $sql_extra = permissions_sql($r[0]['uid'],$observer_hash);
-
- // Now we'll see if we can access the attachment
+ // We've already checked for existence and permissions
$r = q("SELECT * FROM attach WHERE hash = '%s' and uid = %d $sql_extra LIMIT 1",
dbesc($hash),
@@ -281,20 +279,12 @@ function attach_by_hash($hash, $observer_hash, $rev = 0) {
);
if(! $r) {
- $ret['message'] = t('Permission denied.');
+ $ret['message'] = t('Unknown error.');
return $ret;
}
$r[0]['content'] = dbunescbin($r[0]['content']);
- if($r[0]['folder']) {
- $x = attach_can_view_folder($r[0]['uid'],$observer_hash,$r[0]['folder']);
- if(! $x) {
- $ret['message'] = t('Permission denied.');
- return $ret;
- }
- }
-
$ret['success'] = true;
$ret['data'] = $r[0];
@@ -302,6 +292,29 @@ function attach_by_hash($hash, $observer_hash, $rev = 0) {
}
+function attach_can_view($uid,$ob_hash,$resource) {
+
+ $sql_extra = permissions_sql($uid,$ob_hash);
+ $hash = $resource;
+
+ if(! perm_is_allowed($uid,$ob_hash,'view_storage')) {
+ return false;
+ }
+
+ $r = q("select folder from attach where hash = '%s' and uid = %d $sql_extra",
+ dbesc($hash),
+ intval($uid)
+ );
+ if(! $r) {
+ return false;
+ }
+
+ return attach_can_view_folder($uid,$ob_hash,$r[0]['folder']);
+
+}
+
+
+
function attach_can_view_folder($uid,$ob_hash,$folder_hash) {
$sql_extra = permissions_sql($uid,$ob_hash);