diff options
author | Mario <mario@mariovavti.com> | 2023-06-01 10:15:35 +0000 |
---|---|---|
committer | Mario <mario@mariovavti.com> | 2023-06-01 10:15:35 +0000 |
commit | 4b17ea04a75eba037d5ad5bc2aeffaadddfcfa04 (patch) | |
tree | 5fdbeb5ea43c2f59496d42c3681c81af3184239e /include | |
parent | 423fdc0a9618e322636a5291ed92df00115fafb0 (diff) | |
download | volse-hubzilla-4b17ea04a75eba037d5ad5bc2aeffaadddfcfa04.tar.gz volse-hubzilla-4b17ea04a75eba037d5ad5bc2aeffaadddfcfa04.tar.bz2 volse-hubzilla-4b17ea04a75eba037d5ad5bc2aeffaadddfcfa04.zip |
add owner and author to item_permissions_sql()
Diffstat (limited to 'include')
-rw-r--r-- | include/security.php | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/include/security.php b/include/security.php index de9f1f337..2fbe1da1a 100644 --- a/include/security.php +++ b/include/security.php @@ -490,12 +490,19 @@ function item_permissions_sql($owner_id, $remote_observer = null) { $gs = '<<>>'; // should be impossible to match } + // This function is often called without an $owner_id in places where this could not be + // determined in advance. The ACL fields will usually not contain the original author or owner + // so we will also check for author_xchan and owner_xchan to account for this ACL deficiency. + $regexop = db_getfunc('REGEXP'); $sql = sprintf( - " AND (( NOT (deny_cid $regexop '%s' OR deny_gid $regexop '%s') - AND ( allow_cid $regexop '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '' AND item_private = 0 )) - ) OR ( item_private = 1 $scope )) + " AND ( author_xchan = '%s' OR owner_xchan = '%s' OR + (( NOT (deny_cid $regexop '%s' OR deny_gid $regexop '%s') + AND ( allow_cid $regexop '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '' AND item_private = 0 )) + ))) ", + dbesc($observer), + dbesc($observer), dbesc($cs), dbesc($gs), dbesc($cs), |