aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorChristian Vogeley <christian.vogeley@hotmail.de>2013-08-03 00:04:26 +0200
committerChristian Vogeley <christian.vogeley@hotmail.de>2013-08-03 00:04:26 +0200
commitc0cd147a3a9a86b270ea32026089ced16fb2f50c (patch)
tree77232d70031622a162f4e00aec128961ecc7a764 /include
parentd2d1e54bfe928fe4cdfdcfc7e9acf658cda76898 (diff)
parent1d816ba90ad3408822dc64f294597273fd19bc57 (diff)
downloadvolse-hubzilla-c0cd147a3a9a86b270ea32026089ced16fb2f50c.tar.gz
volse-hubzilla-c0cd147a3a9a86b270ea32026089ced16fb2f50c.tar.bz2
volse-hubzilla-c0cd147a3a9a86b270ea32026089ced16fb2f50c.zip
merge
Diffstat (limited to 'include')
-rw-r--r--include/ItemObject.php2
-rw-r--r--include/attach.php4
-rw-r--r--include/config.php36
-rw-r--r--include/conversation.php2
-rw-r--r--include/enotify.php17
-rwxr-xr-xinclude/items.php185
-rw-r--r--include/message.php94
-rw-r--r--include/notifier.php5
-rw-r--r--include/photo/photo_imagick.php4
-rw-r--r--include/security.php82
-rwxr-xr-xinclude/text.php18
-rw-r--r--include/zot.php25
12 files changed, 295 insertions, 179 deletions
diff --git a/include/ItemObject.php b/include/ItemObject.php
index b31e60cbc..8c8c0ee2a 100644
--- a/include/ItemObject.php
+++ b/include/ItemObject.php
@@ -262,7 +262,7 @@ class Item extends BaseObject {
}
}
- $result['private'] = $item['private'];
+ $result['private'] = $item['item_private'];
$result['toplevel'] = ($this->is_toplevel() ? 'toplevel_item' : '');
if($this->is_threaded()) {
diff --git a/include/attach.php b/include/attach.php
index 38a011bcb..46d406f4b 100644
--- a/include/attach.php
+++ b/include/attach.php
@@ -193,13 +193,13 @@ function attach_by_hash($hash,$rev = 0) {
$sql_extra = permissions_sql($r[0]['uid']);
// Now we'll see if we can access the attachment
-
+dbg(1);
$r = q("SELECT * FROM attach WHERE hash = '%s' and uid = %d $sql_extra LIMIT 1",
dbesc($hash),
intval($r[0]['uid'])
);
-
+dbg(0);
if(! $r) {
$ret['message'] = t('Permission denied.');
return $ret;
diff --git a/include/config.php b/include/config.php
index 1f7a4dbd7..38840f5e4 100644
--- a/include/config.php
+++ b/include/config.php
@@ -130,20 +130,12 @@ function load_pconfig($uid,$family = '') {
if(! array_key_exists($uid,$a->config))
$a->config[$uid] = array();
- if(($family) && (! array_key_exists($family,$a->config[$uid])))
- $a->config[$uid][$family] = array();
- if($family) {
- $r = q("SELECT * FROM `pconfig` WHERE `cat` = '%s' AND `uid` = %d",
- dbesc($family),
- intval($uid)
- );
- }
- else {
- $r = q("SELECT * FROM `pconfig` WHERE `uid` = %d",
- intval($uid)
- );
- }
+ // family is no longer used - load entire user config
+
+ $r = q("SELECT * FROM `pconfig` WHERE `uid` = %d",
+ intval($uid)
+ );
if($r) {
foreach($r as $rr) {
@@ -266,20 +258,12 @@ function load_xconfig($xchan,$family = '') {
if(! array_key_exists($xchan,$a->config))
$a->config[$xchan] = array();
- if(($family) && (! array_key_exists($family,$a->config[$xchan])))
- $a->config[$xchan][$family] = array();
- if($family) {
- $r = q("SELECT * FROM `xconfig` WHERE `cat` = '%s' AND `xchan` = '%s'",
- dbesc($family),
- dbesc($xchan)
- );
- }
- else {
- $r = q("SELECT * FROM `xconfig` WHERE `xchan` = '%s'",
- dbesc($xchan)
- );
- }
+ // family is no longer used. Entire config is loaded
+
+ $r = q("SELECT * FROM `xconfig` WHERE `xchan` = '%s'",
+ dbesc($xchan)
+ );
if($r) {
foreach($r as $rr) {
diff --git a/include/conversation.php b/include/conversation.php
index 1023c068d..61b563a5d 100644
--- a/include/conversation.php
+++ b/include/conversation.php
@@ -1128,6 +1128,8 @@ function conv_sort($arr,$order) {
usort($parents,'sort_thr_created');
elseif(stristr($order,'commented'))
usort($parents,'sort_thr_commented');
+ elseif(stristr($order,'ascending'))
+ usort($parents,'sort_thr_created_rev');
if(count($parents))
foreach($parents as $i=>$_x)
diff --git a/include/enotify.php b/include/enotify.php
index 3b7a643ed..fc8eb6439 100644
--- a/include/enotify.php
+++ b/include/enotify.php
@@ -33,7 +33,7 @@ function notification($params) {
push_lang($recip['account_language']); // should probably have a channel language
- $banner = t('Red Notification');
+ $banner = t('Red Matrix Notification');
$product = RED_PLATFORM;
$siteurl = $a->get_baseurl(true);
$thanks = t('Thank You,');
@@ -89,7 +89,7 @@ function notification($params) {
intval($recip['channel_id'])
);
if($p) {
- logger('notification comment already notified');
+ logger('notification: comment already notified');
pop_lang();
return;
}
@@ -168,6 +168,19 @@ function notification($params) {
}
if($params['type'] == NOTIFY_TAGSELF) {
+
+ $p = null;
+ $p = q("select id from notify where link = '%s' and uid = %d limit 1",
+ dbesc($params['link']),
+ intval($recip['channel_id'])
+ );
+ if($p) {
+ logger('enotify: tag: already notified about this post');
+ pop_lang();
+ return;
+ }
+
+
$subject = sprintf( t('[Red:Notify] %s tagged you') , $sender['xchan_name']);
$preamble = sprintf( t('%1$s tagged you at %2$s') , $sender['xchan_name'], $sitename);
$epreamble = sprintf( t('%1$s [zrl=%2$s]tagged you[/zrl].') ,
diff --git a/include/items.php b/include/items.php
index 863fa419b..bacb68909 100755
--- a/include/items.php
+++ b/include/items.php
@@ -491,7 +491,6 @@ function title_is_body($title, $body) {
function get_item_elements($x) {
$arr = array();
-
$arr['body'] = (($x['body']) ? htmlentities($x['body'],ENT_COMPAT,'UTF-8',false) : '');
$arr['created'] = datetime_convert('UTC','UTC',$x['created']);
@@ -506,6 +505,11 @@ function get_item_elements($x) {
$arr['edited'] = datetime_convert();
$arr['title'] = (($x['title']) ? htmlentities($x['title'], ENT_COMPAT,'UTF-8',false) : '');
+
+ if(mb_strlen($arr['title']) > 255)
+ $arr['title'] = mb_substr($arr['title'],0,255);
+
+
$arr['app'] = (($x['app']) ? htmlentities($x['app'], ENT_COMPAT,'UTF-8',false) : '');
$arr['mid'] = (($x['message_id']) ? htmlentities($x['message_id'], ENT_COMPAT,'UTF-8',false) : '');
$arr['parent_mid'] = (($x['message_top']) ? htmlentities($x['message_top'], ENT_COMPAT,'UTF-8',false) : '');
@@ -528,6 +532,21 @@ function get_item_elements($x) {
$arr['item_private'] = ((array_key_exists('flags',$x) && is_array($x['flags']) && in_array('private',$x['flags'])) ? 1 : 0);
+ $arr['item_flags'] = 0;
+
+ // if it's a private post, encrypt it in the DB.
+ // We have to do that here because we need to cleanse the input and prevent bad stuff from getting in,
+ // and we need plaintext to do that.
+
+ if(intval($arr['item_private'])) {
+ $arr['item_flags'] = $arr['item_flags'] | ITEM_OBSCURED;
+ $key = get_config('system','pubkey');
+ if($arr['title'])
+ $arr['title'] = json_encode(aes_encapsulate($arr['title'],$key));
+ if($arr['body'])
+ $arr['body'] = json_encode(aes_encapsulate($arr['body'],$key));
+ }
+
if(array_key_exists('flags',$x) && in_array('deleted',$x['flags']))
$arr['item_restrict'] = ITEM_DELETED;
@@ -599,6 +618,14 @@ function encode_item($item) {
$scope = map_scope($public_scope);
$c_scope = map_scope($comment_scope);
+ if(array_key_exists('item_flags',$item) && ($item['item_flags'] & ITEM_OBSCURED)) {
+ $key = get_config('system','prvkey');
+ if($item['title'])
+ $item['title'] = aes_unencapsulate(json_decode($item['title'],true),$key);
+ if($item['body'])
+ $item['body'] = aes_unencapsulate(json_decode($item['body'],true),$key);
+ }
+
if($item['item_restrict'] & ITEM_DELETED) {
$x['message_id'] = $item['mid'];
$x['created'] = $item['created'];
@@ -791,7 +818,13 @@ function encode_mail($item) {
$x = array();
$x['type'] = 'mail';
- logger('encode_mail: ' . print_r($item,true));
+ if(array_key_exists('mail_flags',$item) && ($item['mail_flags'] & MAIL_OBSCURED)) {
+ $key = get_config('system','prvkey');
+ if($item['title'])
+ $item['title'] = aes_unencapsulate(json_decode($item['title'],true),$key);
+ if($item['body'])
+ $item['body'] = aes_unencapsulate(json_decode($item['body'],true),$key);
+ }
$x['message_id'] = $item['mid'];
$x['message_parent'] = $item['parent_mid'];
@@ -803,9 +836,6 @@ function encode_mail($item) {
$x['flags'] = array();
- if($item['mail_flags'] & MAIL_OBSCURED)
- $x['flags'][] = 'obscured';
-
if($item['mail_flags'] & MAIL_RECALLED) {
$x['flags'][] = 'recalled';
$x['title'] = '';
@@ -832,18 +862,16 @@ function get_mail_elements($x) {
if(in_array('recalled',$x['flags'])) {
$arr['mail_flags'] |= MAIL_RECALLED;
}
- if(in_array('obscured',$x['flags'])) {
-
- $arr['mail_flags'] |= MAIL_OBSCURED;
- $arr['body'] = base64url_decode($arr['body']);
- $arr['body'] = htmlentities($arr['body'],ENT_COMPAT,'UTF-8',false);
- $arr['body'] = base64url_encode($arr['body']);
- $arr['title'] = base64url_decode($arr['title']);
- $arr['title'] = htmlentities($arr['title'],ENT_COMPAT,'UTF-8',false);
- $arr['title'] = base64url_encode($arr['title']);
- }
}
+ $key = get_config('system','pubkey');
+ $arr['mail_flags'] |= MAIL_OBSCURED;
+ $arr['body'] = htmlentities($arr['body'],ENT_COMPAT,'UTF-8',false);
+ if($arr['body'])
+ $arr['body'] = json_encode(aes_encapsulate($arr['body'],$key));
+ $arr['title'] = htmlentities($arr['title'],ENT_COMPAT,'UTF-8',false);
+ if($arr['title'])
+ $arr['title'] = json_encode(aes_encapsulate($arr['title'],$key));
if($arr['created'] > datetime_convert())
$arr['created'] = datetime_convert();
@@ -1328,24 +1356,56 @@ function item_store($arr,$force_parent = false) {
if(array_key_exists('parent',$arr))
unset($arr['parent']);
- $arr['lang'] = detect_language($arr['body']);
+ $arr['mimetype'] = ((x($arr,'mimetype')) ? notags(trim($arr['mimetype'])) : 'text/bbcode');
+ $arr['title'] = ((x($arr,'title')) ? notags(trim($arr['title'])) : '');
+ $arr['body'] = ((x($arr,'body')) ? trim($arr['body']) : '');
- $allowed_languages = get_pconfig($arr['uid'],'system','allowed_languages');
+ $arr['allow_cid'] = ((x($arr,'allow_cid')) ? trim($arr['allow_cid']) : '');
+ $arr['allow_gid'] = ((x($arr,'allow_gid')) ? trim($arr['allow_gid']) : '');
+ $arr['deny_cid'] = ((x($arr,'deny_cid')) ? trim($arr['deny_cid']) : '');
+ $arr['deny_gid'] = ((x($arr,'deny_gid')) ? trim($arr['deny_gid']) : '');
+ $arr['item_private'] = ((x($arr,'item_private')) ? intval($arr['item_private']) : 0 );
+ $arr['item_flags'] = ((x($arr,'item_flags')) ? intval($arr['item_flags']) : 0 );
- if((is_array($allowed_languages)) && ($arr['lang']) && (! array_key_exists($arr['lang'],$allowed_languages))) {
- $translate = array('item' => $arr, 'from' => $arr['lang'], 'to' => $allowed_languages, 'translated' => false);
- call_hooks('item_translate', $translate);
- if((! $translate['translated']) && (intval(get_pconfig($arr['uid'],'system','reject_disallowed_languages')))) {
- logger('item_store: language ' . $arr['lang'] . ' not accepted for uid ' . $arr['uid']);
- return;
+ // this is a bit messy - we really need an input filter chain that temporarily undoes obscuring
+
+ if($arr['mimetype'] != 'text/html') {
+ if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false))
+ $arr['body'] = escape_tags($arr['body']);
+ if((strpos($arr['title'],'<') !== false) || (strpos($arr['title'],'>') !== false))
+ $arr['title'] = escape_tags($arr['title']);
+ }
+
+ // only detect language if we have text content, and if the post is private but not yet
+ // obscured, make it so.
+
+ if(! ($arr['item_flags'] & ITEM_OBSCURED)) {
+ $arr['lang'] = detect_language($arr['body']);
+
+ $allowed_languages = get_pconfig($arr['uid'],'system','allowed_languages');
+
+ if((is_array($allowed_languages)) && ($arr['lang']) && (! array_key_exists($arr['lang'],$allowed_languages))) {
+ $translate = array('item' => $arr, 'from' => $arr['lang'], 'to' => $allowed_languages, 'translated' => false);
+ call_hooks('item_translate', $translate);
+ if((! $translate['translated']) && (intval(get_pconfig($arr['uid'],'system','reject_disallowed_languages')))) {
+ logger('item_store: language ' . $arr['lang'] . ' not accepted for uid ' . $arr['uid']);
+ return;
+ }
+ $arr = $translate['item'];
}
- $arr = $translate['item'];
+ if($arr['item_private']) {
+ $key = get_config('system','pubkey');
+ $arr['item_flags'] = $arr['item_flags'] | ITEM_OBSCURED;
+ if($arr['title'])
+ $arr['title'] = json_encode(aes_encapsulate($arr['title'],$key));
+ if($arr['body'])
+ $arr['body'] = json_encode(aes_encapsulate($arr['body'],$key));
+ }
+
}
- // Shouldn't happen but we want to make absolutely sure it doesn't leak from a plugin.
- if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false))
- $arr['body'] = escape_tags($arr['body']);
+
if((x($arr,'object')) && is_array($arr['object'])) {
activity_sanitise($arr['object']);
@@ -1372,8 +1432,6 @@ function item_store($arr,$force_parent = false) {
$arr['commented'] = datetime_convert();
$arr['received'] = datetime_convert();
$arr['changed'] = datetime_convert();
- $arr['mimetype'] = ((x($arr,'mimetype')) ? notags(trim($arr['mimetype'])) : 'text/bbcode');
- $arr['title'] = ((x($arr,'title')) ? notags(trim($arr['title'])) : '');
$arr['location'] = ((x($arr,'location')) ? notags(trim($arr['location'])) : '');
$arr['coord'] = ((x($arr,'coord')) ? notags(trim($arr['coord'])) : '');
$arr['parent_mid'] = ((x($arr,'parent_mid')) ? notags(trim($arr['parent_mid'])) : '');
@@ -1384,19 +1442,12 @@ function item_store($arr,$force_parent = false) {
$arr['tgt_type'] = ((x($arr,'tgt_type')) ? notags(trim($arr['tgt_type'])) : '');
$arr['target'] = ((x($arr,'target')) ? trim($arr['target']) : '');
$arr['plink'] = ((x($arr,'plink')) ? notags(trim($arr['plink'])) : '');
- $arr['allow_cid'] = ((x($arr,'allow_cid')) ? trim($arr['allow_cid']) : '');
- $arr['allow_gid'] = ((x($arr,'allow_gid')) ? trim($arr['allow_gid']) : '');
- $arr['deny_cid'] = ((x($arr,'deny_cid')) ? trim($arr['deny_cid']) : '');
- $arr['deny_gid'] = ((x($arr,'deny_gid')) ? trim($arr['deny_gid']) : '');
- $arr['item_private'] = ((x($arr,'item_private')) ? intval($arr['item_private']) : 0 );
- $arr['body'] = ((x($arr,'body')) ? trim($arr['body']) : '');
$arr['attach'] = ((x($arr,'attach')) ? notags(trim($arr['attach'])) : '');
$arr['app'] = ((x($arr,'app')) ? notags(trim($arr['app'])) : '');
$arr['item_restrict'] = ((x($arr,'item_restrict')) ? intval($arr['item_restrict']) : 0 );
$arr['comment_policy'] = ((x($arr,'comment_policy')) ? notags(trim($arr['comment_policy'])) : 'contacts' );
- $arr['item_flags'] = ((x($arr,'item_flags')) ? intval($arr['item_flags']) : 0 );
$arr['item_flags'] = $arr['item_flags'] | ITEM_UNSEEN;
@@ -1553,7 +1604,7 @@ function item_store($arr,$force_parent = false) {
if(strlen($allow_cid) || strlen($allow_gid) || strlen($deny_cid) || strlen($deny_gid))
$private = 1;
else
- $private = $arr['private'];
+ $private = $arr['item_private'];
// Set parent id - and also make sure to inherit the parent's ACL's.
@@ -1574,7 +1625,7 @@ function item_store($arr,$force_parent = false) {
$arr['allow_gid'] = $allow_gid;
$arr['deny_cid'] = $deny_cid;
$arr['deny_gid'] = $deny_gid;
- $arr['private'] = $private;
+ $arr['item_private'] = $private;
// Store taxonomy
@@ -2050,10 +2101,17 @@ function tgroup_check($uid,$item) {
$mention = false;
// check that the message originated elsewhere and is a top-level post
+ // or is a followup and we have already accepted the top level post
- if($arr['mid'] != $arr['parent_mid'])
+ if($item['mid'] != $item['parent_mid']) {
+ $r = q("select id from item where mid = '%s' and uid = %d limit 1",
+ dbesc($item['parent_mid']),
+ intval($uid)
+ );
+ if($r)
+ return true;
return false;
-
+ }
if(! perm_is_allowed($uid,$item['author_xchan'],'tag_deliver'))
return false;
@@ -4712,39 +4770,52 @@ function zot_feed($uid,$observer_xchan,$mindate) {
if(! $mindate)
$mindate = '0000-00-00 00:00:00';
+ $mindate = dbesc($mindate);
+
if(! perm_is_allowed($uid,$observer_xchan,'view_stream')) {
return $result;
}
-// FIXME
- $sql_extra = item_permissions_sql($uid,$remote_contact,$groups);
+ $sql_extra = item_permissions_sql($uid);
- if($mindate != '0000-00-00 00:00:00')
+ if($mindate != '0000-00-00 00:00:00') {
$sql_extra .= " and created > '$mindate' ";
+ $limit = "";
+ }
+ else
+ $limit = " limit 0, 50 ";
+ $items = array();
-// FIXME
- // We probably should use two queries and pick up total conversations.
- // For now get a chunk of raw posts in ascending created order so that
- // hopefully the parent is imported before we see the kids.
- // This will fail if there are more than $limit kids and you didn't
- // receive the parent via direct delivery
-
- $limit = 200;
-
- $items = q("SELECT item.* from item
- WHERE uid = %d AND item_restrict = 0
+ $r = q("SELECT item.*, item.id as item_id from item
+ WHERE uid = %d AND item_restrict = 0 and id = parent
AND (item_flags & %d)
- $sql_extra ORDER BY created ASC limit 0, $limit",
+ $sql_extra ORDER BY created ASC $limit",
intval($uid),
intval(ITEM_WALL)
);
+ if($r) {
+
+ $parents_str = ids_to_querystr($r,'id');
+
+ $items = q("SELECT `item`.*, `item`.`id` AS `item_id` FROM `item`
+ WHERE `item`.`uid` = %d AND `item`.`item_restrict` = 0
+ AND `item`.`parent` IN ( %s ) ",
+ intval($uid),
+ dbesc($parents_str)
+ );
+
+ }
+
if($items) {
xchan_query($items);
$items = fetch_post_tags($items);
- } else {
- $items = array();
+ require_once('include/conversation.php');
+ $items = conv_sort($items,'ascending');
+
}
+ else
+ $items = array();
foreach($items as $item)
$result[] = encode_item($item);
diff --git a/include/message.php b/include/message.php
index 6c44a54f3..d6294cdba 100644
--- a/include/message.php
+++ b/include/message.php
@@ -2,6 +2,7 @@
/* Private Message backend API */
+require_once('include/crypto.php');
// send a private message
@@ -56,6 +57,28 @@ function send_message($uid = 0, $recipient='', $body='', $subject='', $replyto='
$replyto = $mid;
}
+ /**
+ *
+ * When a photo was uploaded into the message using the (profile wall) ajax
+ * uploader, The permissions are initially set to disallow anybody but the
+ * owner from seeing it. This is because the permissions may not yet have been
+ * set for the post. If it's private, the photo permissions should be set
+ * appropriately. But we didn't know the final permissions on the post until
+ * now. So now we'll look for links of uploaded messages that are in the
+ * post and set them to the same permissions as the post itself.
+ *
+ */
+
+ $match = null;
+ $images = null;
+ if(preg_match_all("/\[img\](.*?)\[\/img\]/",$body,$match))
+ $images = $match[1];
+
+ $key = get_config('system','pubkey');
+ if($subject)
+ $subject = json_encode(aes_encapsulate($subject,$key));
+ if($body)
+ $body = json_encode(aes_encapsulate($body,$key));
$r = q("INSERT INTO mail ( account_id, mail_flags, channel_id, from_xchan, to_xchan, title, body, mid, parent_mid, created )
VALUES ( %d, %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' )",
@@ -64,8 +87,8 @@ function send_message($uid = 0, $recipient='', $body='', $subject='', $replyto='
intval($channel['channel_id']),
dbesc($channel['channel_hash']),
dbesc($recipient),
- dbesc(base64url_encode($subject)),
- dbesc(base64url_encode($body)),
+ dbesc($subject),
+ dbesc($body),
dbesc($mid),
dbesc($replyto),
dbesc(datetime_convert())
@@ -84,35 +107,18 @@ function send_message($uid = 0, $recipient='', $body='', $subject='', $replyto='
return $ret;
}
- /**
- *
- * When a photo was uploaded into the message using the (profile wall) ajax
- * uploader, The permissions are initially set to disallow anybody but the
- * owner from seeing it. This is because the permissions may not yet have been
- * set for the post. If it's private, the photo permissions should be set
- * appropriately. But we didn't know the final permissions on the post until
- * now. So now we'll look for links of uploaded messages that are in the
- * post and set them to the same permissions as the post itself.
- *
- */
-
- $match = null;
-
- if(preg_match_all("/\[img\](.*?)\[\/img\]/",$body,$match)) {
- $images = $match[1];
- if(count($images)) {
- foreach($images as $image) {
- if(! stristr($image,$a->get_baseurl() . '/photo/'))
- continue;
- $image_uri = substr($image,strrpos($image,'/') + 1);
- $image_uri = substr($image_uri,0, strpos($image_uri,'-'));
- $r = q("UPDATE photo SET allow_cid = '%s' WHERE resource_id = '%s' AND uid = %d and allow_cid = '%s'",
- dbesc('<' . $recipient . '>'),
- dbesc($image_uri),
- intval($channel['channel_id']),
- dbesc('<' . $channel['channel_hash'] . '>')
- );
- }
+ if(count($images)) {
+ foreach($images as $image) {
+ if(! stristr($image,$a->get_baseurl() . '/photo/'))
+ continue;
+ $image_uri = substr($image,strrpos($image,'/') + 1);
+ $image_uri = substr($image_uri,0, strpos($image_uri,'-'));
+ $r = q("UPDATE photo SET allow_cid = '%s' WHERE resource_id = '%s' AND uid = %d and allow_cid = '%s'",
+ dbesc('<' . $recipient . '>'),
+ dbesc($image_uri),
+ intval($channel['channel_id']),
+ dbesc('<' . $channel['channel_hash'] . '>')
+ );
}
}
@@ -171,11 +177,14 @@ function private_messages_list($uid, $mailbox = '', $start = 0, $numitems = 0) {
$r[$k]['to'] = find_xchan_in_array($rr['to_xchan'],$c);
$r[$k]['seen'] = (($rr['mail_flags'] & MAIL_SEEN) ? 1 : 0);
if($r[$k]['mail_flags'] & MAIL_OBSCURED) {
- $r[$k]['title'] = base64url_decode($r[$k]['title']);
- $r[$k]['body'] = base64url_decode($r[$k]['body']);
- }
-
+ logger('unencrypting');
+ $key = get_config('system','prvkey');
+ if($r[$k]['title'])
+ $r[$k]['title'] = aes_unencapsulate(json_decode($r[$k]['title'],true),$key);
+ if($r[$k]['body'])
+ $r[$k]['body'] = aes_unencapsulate(json_decode($r[$k]['body'],true),$key);
+ }
}
return $r;
@@ -209,8 +218,11 @@ function private_messages_fetch_message($channel_id, $messageitem_id, $updatesee
$messages[$k]['from'] = find_xchan_in_array($message['from_xchan'],$c);
$messages[$k]['to'] = find_xchan_in_array($message['to_xchan'],$c);
if($messages[$k]['mail_flags'] & MAIL_OBSCURED) {
- $messages[$k]['title'] = base64url_decode($messages[$k]['title']);
- $messages[$k]['body'] = base64url_decode($messages[$k]['body']);
+ $key = get_config('system','prvkey');
+ if($messages[$k]['title'])
+ $messages[$k]['title'] = aes_unencapsulate(json_decode($messages[$k]['title'],true),$key);
+ if($messages[$k]['body'])
+ $messages[$k]['body'] = aes_unencapsulate(json_decode($messages[$k]['body'],true),$key);
}
}
@@ -294,10 +306,12 @@ function private_messages_fetch_conversation($channel_id, $messageitem_id, $upda
$messages[$k]['from'] = find_xchan_in_array($message['from_xchan'],$c);
$messages[$k]['to'] = find_xchan_in_array($message['to_xchan'],$c);
if($messages[$k]['mail_flags'] & MAIL_OBSCURED) {
- $messages[$k]['title'] = base64url_decode($messages[$k]['title']);
- $messages[$k]['body'] = base64url_decode($messages[$k]['body']);
+ $key = get_config('system','prvkey');
+ if($messages[$k]['title'])
+ $messages[$k]['title'] = aes_unencapsulate(json_decode($messages[$k]['title'],true),$key);
+ if($messages[$k]['body'])
+ $messages[$k]['body'] = aes_unencapsulate(json_decode($messages[$k]['body'],true),$key);
}
-
}
diff --git a/include/notifier.php b/include/notifier.php
index 9a8866223..dea9d6072 100644
--- a/include/notifier.php
+++ b/include/notifier.php
@@ -328,7 +328,10 @@ function notifier_run($argv, $argc){
// Generic delivery section, we have an encoded item and recipients
// Now start the delivery process
- logger('notifier: encoded item: ' . print_r($encoded_item,true));
+ $x = $encoded_item;
+ $x['title'] = 'private';
+ $x['body'] = 'private';
+ logger('notifier: encoded item: ' . print_r($x,true), LOGGER_DATA);
stringify_array_elms($recipients);
if(! $recipients)
diff --git a/include/photo/photo_imagick.php b/include/photo/photo_imagick.php
index 2737c8f69..3f84fd06c 100644
--- a/include/photo/photo_imagick.php
+++ b/include/photo/photo_imagick.php
@@ -153,14 +153,14 @@ class photo_imagick extends photo_driver {
do {
$this->image->cropImage($w, $h, $x, $y);
/**
- * We need to remove the canva,
+ * We need to remove the canvas,
* or the image is not resized to the crop:
* http://php.net/manual/en/imagick.cropimage.php#97232
*/
$this->image->setImagePage(0, 0, 0, 0);
} while ($this->image->nextImage());
- $this->doScaleImage($max);
+ $this->doScaleImage($max,$max);
}
public function imageString() {
diff --git a/include/security.php b/include/security.php
index 29a0fc0bc..ef4d5a313 100644
--- a/include/security.php
+++ b/include/security.php
@@ -205,26 +205,29 @@ function permissions_sql($owner_id,$remote_verified = false,$groups = null) {
else {
- $observer = get_app()->get_observer();
- $groups = init_groups_visitor($remote_user);
-
- $gs = '<<>>'; // should be impossible to match
-
- if(is_array($groups) && count($groups)) {
- foreach($groups as $g)
- $gs .= '|<' . $g . '>';
- }
- $sql = sprintf(
- " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
- AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
- )
- ",
- dbesc(protect_sprintf( '%<' . $remote_user . '>%')),
- dbesc($gs),
- dbesc(protect_sprintf( '%<' . $remote_user . '>%')),
- dbesc($gs)
- );
+ $observer = get_observer_hash();
+ if($observer) {
+ $groups = init_groups_visitor($observer);
+
+ $gs = '<<>>'; // should be impossible to match
+
+ if(is_array($groups) && count($groups)) {
+ foreach($groups as $g)
+ $gs .= '|<' . $g . '>';
+ }
+ $sql = sprintf(
+ " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
+ AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
+ )
+ ",
+ dbesc(protect_sprintf( '%<' . $observer . '>%')),
+ dbesc($gs),
+ dbesc(protect_sprintf( '%<' . $observer . '>%')),
+ dbesc($gs)
+ );
+ }
}
+
return $sql;
}
@@ -260,25 +263,28 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null)
else {
- $observer = get_app()->get_observer();
- $groups = init_groups_visitor($remote_user);
-
- $gs = '<<>>'; // should be impossible to match
-
- if(is_array($groups) && count($groups)) {
- foreach($groups as $g)
- $gs .= '|<' . $g . '>';
- }
- $sql = sprintf(
- " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
- AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
- )
- ",
- dbesc(protect_sprintf( '%<' . $remote_user . '>%')),
- dbesc($gs),
- dbesc(protect_sprintf( '%<' . $remote_user . '>%')),
- dbesc($gs)
- );
+ $observer = get_observer_hash();
+
+ if($observer) {
+ $groups = init_groups_visitor($observer);
+
+ $gs = '<<>>'; // should be impossible to match
+
+ if(is_array($groups) && count($groups)) {
+ foreach($groups as $g)
+ $gs .= '|<' . $g . '>';
+ }
+ $sql = sprintf(
+ " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
+ AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
+ )
+ ",
+ dbesc(protect_sprintf( '%<' . $observer . '>%')),
+ dbesc($gs),
+ dbesc(protect_sprintf( '%<' . $observer . '>%')),
+ dbesc($gs)
+ );
+ }
}
return $sql;
}
diff --git a/include/text.php b/include/text.php
index 2d29dff31..814c564a3 100755
--- a/include/text.php
+++ b/include/text.php
@@ -887,7 +887,7 @@ function smilies($s, $sample = false) {
'<img class="smiley" src="' . $a->get_baseurl() . '/images/smiley-facepalm.gif" alt=":facepalm" />',
'<img class="smiley" src="' . $a->get_baseurl() . '/images/like.gif" alt=":like" />',
'<img class="smiley" src="' . $a->get_baseurl() . '/images/dislike.gif" alt=":dislike" />',
- '<img class="smiley" src="' . $a->get_baseurl() . '/images/rhash-16.png" alt="red#" /></a>',
+ '<a href="http://getzot.com"><img class="smiley" src="' . $a->get_baseurl() . '/images/rhash-16.png" alt="red#" /> the Red Matrix</a>',
'<a href="http://friendica.com">~friendica <img class="smiley" src="' . $a->get_baseurl() . '/images/friendica-16.png" alt="~friendica" /></a>'
);
@@ -977,11 +977,22 @@ function link_compare($a,$b) {
-function prepare_body($item,$attach = false) {
+function prepare_body(&$item,$attach = false) {
$a = get_app();
+
+
+
call_hooks('prepare_body_init', $item);
+ if(array_key_exists('item_flags',$item) && ($item['item_flags'] & ITEM_OBSCURED)) {
+ $key = get_config('system','prvkey');
+ if($item['title'])
+ $item['title'] = aes_unencapsulate(json_decode($item['title'],true),$key);
+ if($item['body'])
+ $item['body'] = aes_unencapsulate(json_decode($item['body'],true),$key);
+ }
+
$s = prepare_text($item['body'],$item['mimetype']);
$prep_arr = array('item' => $item, 'html' => $s);
@@ -992,6 +1003,7 @@ function prepare_body($item,$attach = false) {
return $s;
}
+
$arr = json_decode($item['attach'],true);
if(count($arr)) {
$s .= '<div class="body-attach">';
@@ -1246,7 +1258,7 @@ function feed_salmonlinks($nick) {
function get_plink($item) {
$a = get_app();
- if (x($item,'plink') && ($item['private'] != 1)) {
+ if (x($item,'plink') && ($item['item_private'] != 1)) {
return array(
'href' => $item['plink'],
'title' => t('link to source'),
diff --git a/include/zot.php b/include/zot.php
index 7369de80a..437ec0c86 100644
--- a/include/zot.php
+++ b/include/zot.php
@@ -770,8 +770,6 @@ function zot_fetch($arr) {
function zot_import($arr) {
-// logger('zot_import: ' . print_r($arr,true), LOGGER_DATA);
-
$data = json_decode($arr['body'],true);
if(! $data) {
@@ -783,8 +781,6 @@ function zot_import($arr) {
$data = json_decode(aes_unencapsulate($data,get_config('system','prvkey')),true);
}
- logger('zot_import: data' . print_r($data,true), LOGGER_DATA);
-
$incoming = $data['pickup'];
$return = array();
@@ -837,10 +833,12 @@ function zot_import($arr) {
if($i['message']) {
if($i['message']['type'] === 'activity') {
$arr = get_item_elements($i['message']);
+
if(! array_key_exists('created',$arr)) {
logger('Activity rejected: probable failure to lookup author/owner. ' . print_r($i['message'],true));
continue;
}
+
logger('Activity received: ' . print_r($arr,true), LOGGER_DATA);
logger('Activity recipients: ' . print_r($deliveries,true), LOGGER_DATA);
@@ -1022,6 +1020,18 @@ function process_delivery($sender,$arr,$deliveries,$relay) {
$perm = (($arr['mid'] == $arr['parent_mid']) ? 'send_stream' : 'post_comments');
+ // This is our own post, possibly coming from a channel clone
+
+ if($arr['owner_xchan'] == $d['hash']) {
+ $arr['item_flags'] = $arr['item_flags'] | ITEM_WALL;
+ }
+ else {
+ // clear the wall flag if it is set
+ if($arr['item_flags'] & ITEM_WALL) {
+ $arr['item_flags'] = ($arr['item_flags'] ^ ITEM_WALL);
+ }
+ }
+
if((! perm_is_allowed($channel['channel_id'],$sender['hash'],$perm)) && (! $tag_delivery)) {
logger("permission denied for delivery {$channel['channel_id']}");
$result[] = array($d['hash'],'permission denied',$channel['channel_name'] . ' <' . $channel['channel_address'] . '@' . get_app()->get_hostname() . '>');
@@ -1565,7 +1575,7 @@ function build_sync_packet($uid = 0, $packet = null) {
// don't pass these elements, they should not be synchronised
- $disallowed = array('channel_id','channel_account_id','channel_primary','channel_prvkey');
+ $disallowed = array('channel_id','channel_account_id','channel_primary','channel_prvkey','channel_address');
if(in_array($k,$disallowed))
continue;
@@ -1605,7 +1615,8 @@ function build_sync_packet($uid = 0, $packet = null) {
function process_channel_sync_delivery($sender,$arr,$deliveries) {
-// FIXME - this will sync red structures. Eventually we need to make this application agnostic.
+// FIXME - this will sync red structures (channel, pconfig and abook). Eventually we need to make this application agnostic.
+// TODO: missing group membership changes
$result = array();
@@ -1635,7 +1646,7 @@ function process_channel_sync_delivery($sender,$arr,$deliveries) {
}
if(array_key_exists('channel',$arr) && is_array($arr['channel']) && count($arr['channel'])) {
- $disallowed = array('channel_id','channel_account_id','channel_primary','channel_prvkey');
+ $disallowed = array('channel_id','channel_account_id','channel_primary','channel_prvkey', 'channel_address');
$clean = array();
foreach($arr['channel'] as $k => $v) {