diff options
author | zotlabs <mike@macgirvin.com> | 2018-04-30 22:30:59 -0700 |
---|---|---|
committer | zotlabs <mike@macgirvin.com> | 2018-04-30 22:30:59 -0700 |
commit | 32423a7706c45d0d7187444f50eac33ca4fdfaa0 (patch) | |
tree | d96a5b4e1751b0918a20975af5903155c15dbfea /include | |
parent | e841e482589cfc8f9734e313350b6e2b78ea6940 (diff) | |
download | volse-hubzilla-32423a7706c45d0d7187444f50eac33ca4fdfaa0.tar.gz volse-hubzilla-32423a7706c45d0d7187444f50eac33ca4fdfaa0.tar.bz2 volse-hubzilla-32423a7706c45d0d7187444f50eac33ca4fdfaa0.zip |
parent folder permissions weren't being checked back to the cloud root directory in all cases
Diffstat (limited to 'include')
-rw-r--r-- | include/attach.php | 39 |
1 files changed, 26 insertions, 13 deletions
diff --git a/include/attach.php b/include/attach.php index 27bf0218a..0d2b43b58 100644 --- a/include/attach.php +++ b/include/attach.php @@ -266,14 +266,12 @@ function attach_by_hash($hash, $observer_hash, $rev = 0) { return $ret; } - if(! perm_is_allowed($r[0]['uid'], $observer_hash, 'view_storage')) { + if(! attach_can_view($r[0]['uid'], $observer_hash, $hash)) { $ret['message'] = t('Permission denied.'); return $ret; } - $sql_extra = permissions_sql($r[0]['uid'],$observer_hash); - - // Now we'll see if we can access the attachment + // We've already checked for existence and permissions $r = q("SELECT * FROM attach WHERE hash = '%s' and uid = %d $sql_extra LIMIT 1", dbesc($hash), @@ -281,20 +279,12 @@ function attach_by_hash($hash, $observer_hash, $rev = 0) { ); if(! $r) { - $ret['message'] = t('Permission denied.'); + $ret['message'] = t('Unknown error.'); return $ret; } $r[0]['content'] = dbunescbin($r[0]['content']); - if($r[0]['folder']) { - $x = attach_can_view_folder($r[0]['uid'],$observer_hash,$r[0]['folder']); - if(! $x) { - $ret['message'] = t('Permission denied.'); - return $ret; - } - } - $ret['success'] = true; $ret['data'] = $r[0]; @@ -302,6 +292,29 @@ function attach_by_hash($hash, $observer_hash, $rev = 0) { } +function attach_can_view($uid,$ob_hash,$resource) { + + $sql_extra = permissions_sql($uid,$ob_hash); + $hash = $resource; + + if(! perm_is_allowed($uid,$ob_hash,'view_storage')) { + return false; + } + + $r = q("select folder from attach where hash = '%s' and uid = %d $sql_extra", + dbesc($hash), + intval($uid) + ); + if(! $r) { + return false; + } + + return attach_can_view_folder($uid,$ob_hash,$r[0]['folder']); + +} + + + function attach_can_view_folder($uid,$ob_hash,$folder_hash) { $sql_extra = permissions_sql($uid,$ob_hash); |