diff options
| author | Mario <mario@mariovavti.com> | 2024-09-19 06:59:27 +0000 |
|---|---|---|
| committer | Mario <mario@mariovavti.com> | 2024-09-19 06:59:27 +0000 |
| commit | 39ee872f49855cae679a0c5c2747b24bf5d12082 (patch) | |
| tree | 0a981edf4cd3d1e1e0e40c264300fb0566f46972 /include | |
| parent | a7c51f5d654cca2a3c637006de09836ee3f9dfc4 (diff) | |
| download | volse-hubzilla-39ee872f49855cae679a0c5c2747b24bf5d12082.tar.gz volse-hubzilla-39ee872f49855cae679a0c5c2747b24bf5d12082.tar.bz2 volse-hubzilla-39ee872f49855cae679a0c5c2747b24bf5d12082.zip | |
prefer token if available
Diffstat (limited to 'include')
| -rw-r--r-- | include/attach.php | 1 | ||||
| -rw-r--r-- | include/security.php | 30 |
2 files changed, 15 insertions, 16 deletions
diff --git a/include/attach.php b/include/attach.php index 449721793..28aa14ec6 100644 --- a/include/attach.php +++ b/include/attach.php @@ -348,6 +348,7 @@ function attach_can_view($uid, $ob_hash, $resource, $token = EMPTY_STR) { $sql_extra = permissions_sql($uid, $ob_hash, '', $token); + $r = q("select folder from attach where hash = '%s' and uid = %d $sql_extra", dbesc($resource), intval($uid) diff --git a/include/security.php b/include/security.php index 93d951687..4b072cf92 100644 --- a/include/security.php +++ b/include/security.php @@ -321,6 +321,7 @@ function change_channel($change_channel) { function permissions_sql($owner_id, $remote_observer = null, $table = '', $token = EMPTY_STR) { $local_channel = local_channel(); + $observer = $remote_observer ?? get_observer_hash(); /** * Construct permissions @@ -344,15 +345,22 @@ function permissions_sql($owner_id, $remote_observer = null, $table = '', $token if (($local_channel) && ($local_channel == $owner_id)) { return EMPTY_STR; } - /** - * Authenticated visitor. - */ - else { - $observer = ((!is_null($remote_observer)) ? $remote_observer : get_observer_hash()); + /* + * OCAP token access + */ - if ($observer) { + if ($token) { + $sql = " AND ( {$table}allow_cid like '" . protect_sprintf('%<token:' . $token . '>%') . + "' OR ( {$table}allow_cid = '' AND {$table}allow_gid = '' AND {$table}deny_cid = '' AND {$table}deny_gid = '' ) )"; + } + + /** + * Authenticated visitor. + */ + + elseif ($observer) { $sec = get_security_ids($owner_id, $observer); @@ -400,16 +408,6 @@ function permissions_sql($owner_id, $remote_observer = null, $table = '', $token dbesc($gs) ); } - - /* - * OCAP token access - */ - - elseif ($token) { - $sql = " AND ( {$table}allow_cid like '" . protect_sprintf('%<token:' . $token . '>%') . - "' OR ( {$table}allow_cid = '' AND {$table}allow_gid = '' AND {$table}deny_cid = '' AND {$table}deny_gid = '' ) )"; - } - } return $sql; |