aboutsummaryrefslogtreecommitdiffstats
path: root/mod/editwebpage.php
diff options
context:
space:
mode:
authorThomas Willingham <founder@kakste.com>2013-08-01 18:40:50 +0100
committerThomas Willingham <founder@kakste.com>2013-08-01 18:40:50 +0100
commitf3791d48b0249bd6e782c1f7968a42888cec28b5 (patch)
tree3e6ce93decd45e582cb61131c9d4c9fa00767448 /mod/editwebpage.php
parent2a848c0d3704ac7a4dbce71947c5cb1b362dd749 (diff)
downloadvolse-hubzilla-f3791d48b0249bd6e782c1f7968a42888cec28b5.tar.gz
volse-hubzilla-f3791d48b0249bd6e782c1f7968a42888cec28b5.tar.bz2
volse-hubzilla-f3791d48b0249bd6e782c1f7968a42888cec28b5.zip
"Can edit my webpages" permissions
Diffstat (limited to 'mod/editwebpage.php')
-rw-r--r--mod/editwebpage.php54
1 files changed, 42 insertions, 12 deletions
diff --git a/mod/editwebpage.php b/mod/editwebpage.php
index d15d9f364..57a1ab911 100644
--- a/mod/editwebpage.php
+++ b/mod/editwebpage.php
@@ -5,26 +5,51 @@ require_once('acl_selectors.php');
function editwebpage_content(&$a) {
+// We first need to figure out who owns the webpage, grab it from an argument
+ $which = argv(1);
+ logger('which: ' . print_r ($which,true));
+
+// $a->get_channel() and stuff don't work here, so we've got to find the owner for ourselves.
+ $owner = q("select channel_id from channel where channel_address = '%s'",
+ dbesc($which)
+ );
+
+
+ if((local_user()) && (argc() > 2) && (argv(2) === 'view')) {
+ $which = $channel['channel_address'];
+ }
+
+
$o = '';
- // We can do better, but for now, editing only works for your own pages, so...
- if(! local_user()) {
- notice( t('Permission denied.') . EOL);
- return;
- }
- $post_id = ((argc() > 1) ? intval(argv(1)) : 0);
+// Figure out which post we're editing
+ $post_id = ((argc() > 2) ? intval(argv(2)) : 0);
+
if(! $post_id) {
notice( t('Item not found') . EOL);
return;
}
- // uid and author_xchan alone should be enough - but it doesn't seem to be any more expensive to use both, so keep it in case of edge cases
- $itm = q("SELECT * FROM `item` WHERE `id` = %d and uid = %s and author_xchan = '%s' LIMIT 1",
+// Now we've got a post and an owner, let's find out if we're allowed to edit it
+
+ $observer = $a->get_observer();
+ $ob_hash = (($observer) ? $observer['xchan_hash'] : '');
+
+ $perms = get_all_perms($owner,$ob_hash);
+
+ if(! $perms['write_pages']) {
+ notice( t('Permission denied.') . EOL);
+ return;
+ }
+
+
+
+// We've already figured out which item we want and whose copy we need, so we don't need anything fancy here
+ $itm = q("SELECT * FROM `item` WHERE `id` = %d and uid = %s LIMIT 1",
intval($post_id),
- intval(local_user()),
- dbesc(get_observer_hash())
+ intval($owner)
);
@@ -61,9 +86,14 @@ function editwebpage_content(&$a) {
//$tpl = replace_macros($tpl,array('$jotplugins' => $jotplugins));
+//FIXME A return path with $_SESSION doesn't work for observer (at least, not here it doesn't). It'll WSoD instead of loading a sensible page. So, send folk
+//back to the channel address until somebody figures out how to fix it - we can't send them back to webpages, because that could leak private pages they can't see
+//when ACL is done.
+
+ $rp = 'channel' . '/' . $which;
$o .= replace_macros($tpl,array(
- '$return_path' => $_SESSION['return_url'],
+ '$return_path' => $rp,
'$action' => 'item',
'$share' => t('Edit'),
'$upload' => t('Upload photo'),
@@ -93,7 +123,7 @@ function editwebpage_content(&$a) {
'$lockstate' => $lockstate,
'$acl' => '',
'$bang' => '',
- '$profile_uid' => local_user(),
+ '$profile_uid' => (intval($owner)),
'$preview' => ((feature_enabled(local_user(),'preview')) ? t('Preview') : ''),
'$jotplugins' => $jotplugins,
'$sourceapp' => t($a->sourcename),