aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2014-01-05 19:25:56 -0800
committerfriendica <info@friendica.com>2014-01-05 19:25:56 -0800
commitdaf5daa2d3c53a70102c930647bb1e0e755abe28 (patch)
tree16f98552676e4d12c6420b21786b2413511d7210 /include
parente10c237386c95a180a1b6951304b98ce1d953551 (diff)
downloadvolse-hubzilla-daf5daa2d3c53a70102c930647bb1e0e755abe28.tar.gz
volse-hubzilla-daf5daa2d3c53a70102c930647bb1e0e755abe28.tar.bz2
volse-hubzilla-daf5daa2d3c53a70102c930647bb1e0e755abe28.zip
disable web browser post inputs if no storage write permission
Diffstat (limited to 'include')
-rw-r--r--include/reddav.php89
1 files changed, 89 insertions, 0 deletions
diff --git a/include/reddav.php b/include/reddav.php
index fc4a53b17..34dbfa0fd 100644
--- a/include/reddav.php
+++ b/include/reddav.php
@@ -92,6 +92,8 @@ class RedDirectory extends DAV\Node implements DAV\ICollection {
$this->folder_hash = '';
$this->getDir();
+ if($this->auth->browser)
+ $this->auth->browser->set_writeable();
}
@@ -657,3 +659,90 @@ dbg(0);
}
+class RedBasicAuth extends Sabre\DAV\Auth\Backend\AbstractBasic {
+
+ public $channel_name = '';
+ public $channel_id = 0;
+ public $channel_hash = '';
+ public $observer = '';
+ public $browser;
+ public $owner_id;
+
+ protected function validateUserPass($username, $password) {
+ require_once('include/auth.php');
+ $record = account_verify_password($email,$pass);
+ if($record && $record['account_default_channel']) {
+ $r = q("select * from channel where channel_account_id = %d and channel_id = %d limit 1",
+ intval($record['account_id']),
+ intval($record['account_default_channel'])
+ );
+ if($r) {
+ $this->currentUser = $r[0]['channel_address'];
+ $this->channel_name = $r[0]['channel_address'];
+ $this->channel_id = $r[0]['channel_id'];
+ $this->channel_hash = $this->observer = $r[0]['channel_hash'];
+ return true;
+ }
+ }
+ $r = q("select * from channel where channel_address = '%s' limit 1",
+ dbesc($username)
+ );
+ if($r) {
+ $x = q("select * from account where account_id = %d limit 1",
+ intval($r[0]['channel_account_id'])
+ );
+ if($x) {
+ foreach($x as $record) {
+ if(($record['account_flags'] == ACCOUNT_OK) || ($record['account_flags'] == ACCOUNT_UNVERIFIED)
+ && (hash('whirlpool',$record['account_salt'] . $password) === $record['account_password'])) {
+ logger('(DAV) RedBasicAuth: password verified for ' . $username);
+ $this->currentUser = $r[0]['channel_address'];
+ $this->channel_name = $r[0]['channel_address'];
+ $this->channel_id = $r[0]['channel_id'];
+ $this->channel_hash = $this->observer = $r[0]['channel_hash'];
+ return true;
+ }
+ }
+ }
+ }
+ logger('(DAV) RedBasicAuth: password failed for ' . $username);
+ return false;
+ }
+
+ function setCurrentUser($name) {
+ $this->currentUser = $name;
+ }
+
+ function setBrowserPlugin($browser) {
+ $this->browser = $browser;
+ }
+
+}
+
+
+class RedBrowser extends DAV\Browser\Plugin {
+
+ private $auth;
+
+ function __construct(&$auth) {
+
+ $this->auth = $auth;
+
+
+ }
+
+ function set_writeable() {
+ logger('RedBrowser: ' . print_r($this->auth,true));
+
+ if(! $this->auth->owner_id)
+ $this->enablePost = false;
+
+
+ if(! perm_is_allowed($this->auth->owner_id, get_observer_hash(), 'write_storage'))
+ $this->enablePost = false;
+ else
+ $this->enablePost = true;
+
+ }
+
+} \ No newline at end of file