aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorgit-marijus <mario@mariovavti.com>2017-08-01 23:20:39 +0200
committergit-marijus <mario@mariovavti.com>2017-08-01 23:20:39 +0200
commit599b395e247c991756c7cf5db29608b2c817f476 (patch)
treec82d8f3b05e0c9911a4c50cd994f8eae8c27ddb9 /include
parentaa766b53d6a51cd0c31022f7afed2e63fc62ced2 (diff)
downloadvolse-hubzilla-599b395e247c991756c7cf5db29608b2c817f476.tar.gz
volse-hubzilla-599b395e247c991756c7cf5db29608b2c817f476.tar.bz2
volse-hubzilla-599b395e247c991756c7cf5db29608b2c817f476.zip
finally fix recursive attachments permissions
Diffstat (limited to 'include')
-rw-r--r--include/attach.php133
1 files changed, 79 insertions, 54 deletions
diff --git a/include/attach.php b/include/attach.php
index d19de2ea3..79a38590b 100644
--- a/include/attach.php
+++ b/include/attach.php
@@ -1605,7 +1605,10 @@ function file_activity($channel_id, $object, $allow_cid, $allow_gid, $deny_cid,
$folder_hash = $object['folder'];
- $r_perms = recursive_activity_recipients($arr_allow_cid, $arr_allow_gid, $arr_deny_cid, $arr_deny_gid, $folder_hash);
+ $r_perms = attach_recursive_perms($arr_allow_cid, $arr_allow_gid, $arr_deny_cid, $arr_deny_gid, $folder_hash);
+
+ if($r_perms === false) //nobody has recursive perms - nobody must be notified
+ return;
//split up returned perms
$arr_allow_cid = $r_perms['allow_cid'];
@@ -1768,7 +1771,7 @@ function get_file_activity_object($channel_id, $hash, $url) {
}
/**
- * @brief Returns array of channels which have recursive permission for a file
+ * @brief Returns recursive permissions array or false if nobody has recursive permissions
*
* @param array $arr_allow_cid
* @param array $arr_allow_gid
@@ -1776,19 +1779,20 @@ function get_file_activity_object($channel_id, $hash, $url) {
* @param array $arr_deny_gid
* @param string $folder_hash
*/
-function recursive_activity_recipients($arr_allow_cid, $arr_allow_gid, $arr_deny_cid, $arr_deny_gid, $folder_hash) {
+function attach_recursive_perms($arr_allow_cid, $arr_allow_gid, $arr_deny_cid, $arr_deny_gid, $folder_hash) {
$ret = array();
$parent_arr = array();
$count_values = array();
$poster = App::get_observer();
- //turn allow_gid into allow_cid's
- foreach($arr_allow_gid as $gid) {
- $in_group = group_get_members($gid);
+ //lookup all channels in sharee group and add them to sharee $arr_allow_cid
+ if($arr_allow_gid) {
+ $in_group = expand_groups($arr_allow_gid);
$arr_allow_cid = array_unique(array_merge($arr_allow_cid, $in_group));
}
+ //count existing parent folders - we will compare to that count later
$count = 0;
while($folder_hash) {
$x = q("SELECT allow_cid, allow_gid, deny_cid, deny_gid, folder FROM attach WHERE hash = '%s' LIMIT 1",
@@ -1797,30 +1801,20 @@ function recursive_activity_recipients($arr_allow_cid, $arr_allow_gid, $arr_deny
//only process private folders
if($x[0]['allow_cid'] || $x[0]['allow_gid'] || $x[0]['deny_cid'] || $x[0]['deny_gid']) {
-
$parent_arr['allow_cid'][] = expand_acl($x[0]['allow_cid']);
$parent_arr['allow_gid'][] = expand_acl($x[0]['allow_gid']);
-
- /**
- * @TODO should find a much better solution for the allow_cid <-> allow_gid problem.
- * Do not use allow_gid for now. Instead lookup the members of the group directly and add them to allow_cid.
- * */
- if($parent_arr['allow_gid']) {
- foreach($parent_arr['allow_gid'][$count] as $gid) {
- $in_group = group_get_members($gid);
- $parent_arr['allow_cid'][$count] = array_unique(array_merge($parent_arr['allow_cid'][$count], $in_group));
- }
- }
-
$parent_arr['deny_cid'][] = expand_acl($x[0]['deny_cid']);
$parent_arr['deny_gid'][] = expand_acl($x[0]['deny_gid']);
+ //this is the number of all existing parent folders - we will compare to that count later
$count++;
}
$folder_hash = $x[0]['folder'];
}
+ //logger(EOL . 'parent_arr: ' . print_r($parent_arr,true));
+
//if none of the parent folders is private just return file perms
if(!$parent_arr['allow_cid'] && !$parent_arr['allow_gid'] && !$parent_arr['deny_cid'] && !$parent_arr['deny_gid']) {
$ret['allow_gid'] = $arr_allow_gid;
@@ -1831,7 +1825,7 @@ function recursive_activity_recipients($arr_allow_cid, $arr_allow_gid, $arr_deny
return $ret;
}
- //if there are no perms on the file we get them from the first parent folder
+ //if there are no perms on the file we will work with the perms from the first parent folder
if(!$arr_allow_cid && !$arr_allow_gid && !$arr_deny_cid && !$arr_deny_gid) {
$arr_allow_cid = $parent_arr['allow_cid'][0];
$arr_allow_gid = $parent_arr['allow_gid'][0];
@@ -1839,52 +1833,83 @@ function recursive_activity_recipients($arr_allow_cid, $arr_allow_gid, $arr_deny
$arr_deny_gid = $parent_arr['deny_gid'][0];
}
- //allow_cid
- $r_arr_allow_cid = false;
- foreach ($parent_arr['allow_cid'] as $folder_arr_allow_cid) {
- foreach ($folder_arr_allow_cid as $ac_hash) {
- $count_values[$ac_hash]++;
+
+ /***
+ *
+ * check if sharee has perms for all parent folders
+ *
+ ***/
+
+ $r_arr_allow_cid = [];
+
+ if($parent_arr['allow_cid']) {
+ //check sharee arr_allow_cid against allow_cid of all parent folders
+ foreach($parent_arr['allow_cid'] as $folder_arr_allow_cid) {
+ foreach($folder_arr_allow_cid as $ac_hash) {
+ $count_values[$ac_hash]++;
+ }
}
- }
- foreach ($arr_allow_cid as $fac_hash) {
- if($count_values[$fac_hash] == $count)
- $r_arr_allow_cid[] = $fac_hash;
+ foreach($arr_allow_cid as $fac_hash) {
+ if($count_values[$fac_hash] == $count)
+ $r_arr_allow_cid[] = $fac_hash;
+ }
+ //logger(EOL . 'r_arr_allow_cid: ' . print_r($r_arr_allow_cid,true));
}
- //allow_gid
- $r_arr_allow_gid = false;
- foreach ($parent_arr['allow_gid'] as $folder_arr_allow_gid) {
- foreach ($folder_arr_allow_gid as $ag_hash) {
- $count_values[$ag_hash]++;
+ if($parent_arr['allow_gid']) {
+ //check sharee arr_allow_cid against members of allow_gid of all parent folders
+ foreach($parent_arr['allow_gid'] as $folder_arr_allow_gid) {
+ //get the group members
+ $folder_arr_allow_cid = expand_groups($folder_arr_allow_gid);
+ foreach($folder_arr_allow_cid as $ac_hash) {
+ $count_values[$ac_hash]++;
+ }
}
- }
- foreach ($arr_allow_gid as $fag_hash) {
- if($count_values[$fag_hash] == $count)
- $r_arr_allow_gid[] = $fag_hash;
+ foreach($arr_allow_cid as $fac_hash) {
+ if($count_values[$fac_hash] == $count)
+ $r_arr_allow_cid[] = $fac_hash;
+ }
+ //logger(EOL . 'groups - r_arr_allow_cid: ' . print_r($r_arr_allow_cid,true));
}
- //deny_gid
- foreach($parent_arr['deny_gid'] as $folder_arr_deny_gid) {
- $r_arr_deny_gid = array_merge($arr_deny_gid, $folder_arr_deny_gid);
- }
- $r_arr_deny_gid = array_unique($r_arr_deny_gid);
+
+ /***
+ *
+ * check if sharee is denied somewhere in parent folders and deny him if so
+ *
+ ***/
//deny_cid
- foreach($parent_arr['deny_cid'] as $folder_arr_deny_cid) {
- $r_arr_deny_cid = array_merge($arr_deny_cid, $folder_arr_deny_cid);
+ $r_arr_deny_cid = [];
+
+ if($parent_arr['deny_cid']) {
+ foreach($parent_arr['deny_cid'] as $folder_arr_deny_cid) {
+ $r_arr_deny_cid = array_merge($arr_deny_cid, $folder_arr_deny_cid);
+ }
+ $r_arr_deny_cid = array_unique($r_arr_deny_cid);
+ //logger(EOL . 'r_arr_deny_cid: ' . print_r($r_arr_deny_cid,true));
}
- $r_arr_deny_cid = array_unique($r_arr_deny_cid);
- //if none is allowed restrict to self
- if(($r_arr_allow_gid === false) && ($r_arr_allow_cid === false)) {
- $ret['allow_cid'] = [$poster['xchan_hash']];
- } else {
- $ret['allow_gid'] = $r_arr_allow_gid;
- $ret['allow_cid'] = $r_arr_allow_cid;
- $ret['deny_gid'] = $r_arr_deny_gid;
- $ret['deny_cid'] = $r_arr_deny_cid;
+ //deny_gid
+ $r_arr_deny_gid = [];
+
+ if($parent_arr['deny_cid']) {
+ foreach($parent_arr['deny_gid'] as $folder_arr_deny_gid) {
+ $r_arr_deny_gid = array_merge($arr_deny_gid, $folder_arr_deny_gid);
+ }
+ $r_arr_deny_gid = array_unique($r_arr_deny_gid);
+ //logger(EOL . 'r_arr_deny_gid: ' . print_r($r_arr_dr_arr_deny_gideny_cid,true));
}
+ //if no channel is allowed return false
+ if(! $r_arr_allow_cid)
+ return false;
+
+ $ret['allow_gid'] = []; // eventual group members are already collected in $r_arr_allow_cid
+ $ret['allow_cid'] = $r_arr_allow_cid;
+ $ret['deny_gid'] = $r_arr_deny_gid;
+ $ret['deny_cid'] = $r_arr_deny_cid;
+
return $ret;
}