diff options
| author | friendica <info@friendica.com> | 2013-01-22 19:36:14 -0800 |
|---|---|---|
| committer | friendica <info@friendica.com> | 2013-01-22 19:36:14 -0800 |
| commit | c09fad42ea997ad3e1b669f7ddcf07cccb7078d1 (patch) | |
| tree | 7a80fe4c5f623b4ab07c9355521c5722d8c505e8 /mod/wall_attach.php | |
| parent | cf2488e999944ca1135ac62955527a376ad0eac2 (diff) | |
| download | volse-hubzilla-c09fad42ea997ad3e1b669f7ddcf07cccb7078d1.tar.gz volse-hubzilla-c09fad42ea997ad3e1b669f7ddcf07cccb7078d1.tar.bz2 volse-hubzilla-c09fad42ea997ad3e1b669f7ddcf07cccb7078d1.zip | |
fix observer permissions on wall_attach
Diffstat (limited to 'mod/wall_attach.php')
| -rw-r--r-- | mod/wall_attach.php | 71 |
1 files changed, 19 insertions, 52 deletions
diff --git a/mod/wall_attach.php b/mod/wall_attach.php index 5d9331ed0..865605313 100644 --- a/mod/wall_attach.php +++ b/mod/wall_attach.php @@ -13,13 +13,13 @@ function wall_attach_post(&$a) { $r = q("SELECT channel.* from channel where channel_address = '%s' limit 1", dbesc($nick) ); - if(! ($r && count($r))) - return; + if(! $r) + killme(); $channel = $r[0]; } else - return; + killme(); $can_post = false; @@ -29,43 +29,10 @@ function wall_attach_post(&$a) { $page_owner_uid = $channel['channel_id']; + $observer = $a->get_observer(); -// $page_owner_cid = $r[0]['id']; -// $page_owner_nick = $r[0]['nickname']; -// $community_page = (($r[0]['page-flags'] == PAGE_COMMUNITY) ? true : false); - - if((local_user()) && (local_user() == $page_owner_uid)) - $can_post = true; - -// FIXME for forum and guests -// else { -// if($community_page && remote_user()) { -// $cid = 0; -// if(is_array($_SESSION['remote'])) { -// foreach($_SESSION['remote'] as $v) { -// if($v['uid'] == $page_owner_uid) { -// $cid = $v['cid']; -// break; -// } -// } -// } -// if($cid) {// - -// $r = q("SELECT `uid` FROM `contact` WHERE `blocked` = 0 AND `pending` = 0 AND `id` = %d AND `uid` = %d LIMIT 1", -// intval($cid), -// intval($page_owner_uid) -// ); -// if(count($r)) { -// $can_post = true; -// $visitor = $cid; -// } -// } -// } -// } - - - if(! $can_post) { - notice( t('Permission denied.') . EOL ); + if(! perm_is_allowed($page_owner_uid,$observer['xchan_hash'],'write_storage')) { + notice( t('Permission denied.') . EOL); killme(); } @@ -81,28 +48,28 @@ function wall_attach_post(&$a) { if(($maxfilesize) && ($filesize > $maxfilesize)) { notice( sprintf(t('File exceeds size limit of %d'), $maxfilesize) . EOL); @unlink($src); - return; + killme(); } - $r = q("select sum(octet_length(data)) as total from attach where uid = %d ", - intval($page_owner_uid) - ); - $limit = service_class_fetch($page_owner_uid,'attach_upload_limit'); - - if(($limit !== false) && (($r[0]['total'] + strlen($imagedata)) > $limit)) { - echo upgrade_message(true) . EOL ; - @unlink($src); - killme(); + if($limit !== false) { + $r = q("select sum(filesize) as total from attach where uid = %d ", + intval($page_owner_uid) + ); + if(($r) && (($r[0]['total'] + strlen($imagedata)) > $limit)) { + echo upgrade_message(true) . EOL ; + @unlink($src); + killme(); + } } - $filedata = @file_get_contents($src); $mimetype = z_mime_content_type($filename); $hash = random_string(); $created = datetime_convert(); - $r = q("INSERT INTO `attach` ( `uid`, `hash`, `filename`, `filetype`, `filesize`, `data`, `created`, `edited`, `allow_cid`, `allow_gid`,`deny_cid`, `deny_gid` ) - VALUES ( %d, '%s', '%s', '%s', %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ", + $r = q("INSERT INTO `attach` ( `aid`, `uid`, `hash`, `filename`, `filetype`, `filesize`, `data`, `created`, `edited`, `allow_cid`, `allow_gid`,`deny_cid`, `deny_gid` ) + VALUES ( %d, %d, '%s', '%s', '%s', %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ", + intval($channel['channel_account_id']), intval($page_owner_uid), dbesc($hash), dbesc($filename), |