a bit more cleanup and a bug fix or two for the new private post security model

2 files changed, 24 insertions, 17 deletions

diff --git a/include/items.php b/include/items.php
index 08c814e10..6af92d7e5 100755
--- a/include/items.php
+++ b/include/items.php
@@ -7,17 +7,13 @@ require_once('include/photo/photo_driver.php');
 require_once('include/permissions.php');
 
 
-function collect_recipients($item,&$private) {
+function collect_recipients($item,&$private_envelope) {
 
 	require_once('include/group.php');
 
-	$private = ((intval($item['item_private'])) ? true : false);
+	$private_envelope = ((intval($item['item_private'])) ? true : false);
 	$recipients = array();
 
-	// if the post is marked private but there are no recipients, only add the author and owner
-	// as recipients. The ACL for the post may live on the hub of a different clone. We need to 
-	// get the post to that hub.
-
 	if($item['allow_cid'] || $item['allow_gid'] || $item['deny_cid'] || $item['deny_gid']) {
 
 		// it is private
@@ -49,10 +45,21 @@ function collect_recipients($item,&$private) {
 
 		$deny = array_unique(array_merge($deny_people,$deny_groups));
 		$recipients = array_diff($recipients,$deny);
-		$private = true;
+		$private_envelope = true;
 	}
 	else {
-		if($item['public_policy'] || (! $private)) {
+
+		// if the post is marked private but there are no recipients and public_policy/scope = self, 
+		// only add the author and owner as recipients. The ACL for the post may live on the hub of
+		// a different clone. We need to get the post to that hub.
+
+		// The post may be private by virtue of not being visible to anybody on the internet,
+		// but there are no envelope recipients, so set this to false. Delivery is controlled 
+		// by the directives in $item['public_policy'].
+
+		$private_envelope = false;
+
+		if(array_key_exists('public_policy',$item) && $item['public_policy'] !== 'self') {
 			$r = q("select abook_xchan from abook where abook_channel = %d and not (abook_flags & %d) ",
 				intval($item['uid']),
 				intval(ABOOK_FLAG_SELF|ABOOK_FLAG_PENDING|ABOOK_FLAG_ARCHIVED)
diff --git a/include/permissions.php b/include/permissions.php
index facba037f..0610ca1c1 100644
--- a/include/permissions.php
+++ b/include/permissions.php
@@ -10,12 +10,12 @@ function get_perms() {
 
 	$global_perms = array(
 		// Read only permissions
-		'view_stream'   => array('channel_r_stream',  intval(PERMS_R_STREAM),  true, t('Can view my "public" stream and posts'), ''),
-		'view_profile'  => array('channel_r_profile', intval(PERMS_R_PROFILE), true, t('Can view my "public" channel profile'), ''),
-		'view_photos'   => array('channel_r_photos',  intval(PERMS_R_PHOTOS),  true, t('Can view my "public" photo albums'), ''),
-		'view_contacts' => array('channel_r_abook',   intval(PERMS_R_ABOOK),   true, t('Can view my "public" address book'), ''),
-		'view_storage' => array('channel_r_storage',   intval(PERMS_R_STORAGE),   true, t('Can view my "public" file storage'), ''),
-		'view_pages' => array('channel_r_pages',   intval(PERMS_R_PAGES),   true, t('Can view my "public" pages'), ''),
+		'view_stream'   => array('channel_r_stream',  intval(PERMS_R_STREAM),  true, t('Can view my normal stream and posts'), ''),
+		'view_profile'  => array('channel_r_profile', intval(PERMS_R_PROFILE), true, t('Can view my default channel profile'), ''),
+		'view_photos'   => array('channel_r_photos',  intval(PERMS_R_PHOTOS),  true, t('Can view my photo albums'), ''),
+		'view_contacts' => array('channel_r_abook',   intval(PERMS_R_ABOOK),   true, t('Can view my connections'), ''),
+		'view_storage' => array('channel_r_storage',   intval(PERMS_R_STORAGE),   true, t('Can view my file storage'), ''),
+		'view_pages' => array('channel_r_pages',   intval(PERMS_R_PAGES),   true, t('Can view my webpages'), ''),
 
 		// Write permissions
 		'send_stream'   => array('channel_w_stream',  intval(PERMS_W_STREAM),  false, t('Can send me their channel stream and posts'), ''),
@@ -27,10 +27,10 @@ function get_perms() {
 
 		'tag_deliver'   => array('channel_w_tagwall', intval(PERMS_W_TAGWALL), false, t('Can forward to all my channel contacts via post @mentions'), t('Advanced - useful for creating group forum channels')),
 		'chat'          => array('channel_w_chat',    intval(PERMS_W_CHAT),    false, t('Can chat with me (when available)'), t('')),
-		'write_storage' => array('channel_w_storage',   intval(PERMS_W_STORAGE),   false, t('Can write to my "public" file storage'), ''),
-		'write_pages' => array('channel_w_pages',   intval(PERMS_W_PAGES),   false, t('Can edit my "public" pages'), ''),
+		'write_storage' => array('channel_w_storage',   intval(PERMS_W_STORAGE),   false, t('Can write to my file storage'), ''),
+		'write_pages' => array('channel_w_pages',   intval(PERMS_W_PAGES),   false, t('Can edit my webpages'), ''),
 
-		'republish' => array('channel_a_republish', intval(PERMS_A_REPUBLISH), false, t('Can source my "public" posts in derived channels'), t('Somewhat advanced - very useful in open communities')),
+		'republish' => array('channel_a_republish', intval(PERMS_A_REPUBLISH), false, t('Can source my public posts in derived channels'), t('Somewhat advanced - very useful in open communities')),
 
 		'delegate'      => array('channel_a_delegate', intval(PERMS_A_DELEGATE),    false, t('Can administer my channel resources'), t('Extremely advanced. Leave this alone unless you know what you are doing')),
 	);