Merge https://github.com/friendica/red into zpull

4 files changed, 48 insertions, 15 deletions

diff --git a/mod/connections.php b/mod/connections.php
index 88291ba8d..2ba65fc0e 100644
--- a/mod/connections.php
+++ b/mod/connections.php
@@ -159,7 +159,7 @@ function connections_content(&$a) {
 
 	$sort_type = 0;
 	$o = '';
-	nav_set_selected('connections');
+	nav_set_selected('intros');
 
 
 	if(! local_user()) {
diff --git a/mod/editwebpage.php b/mod/editwebpage.php
index d15d9f364..c7323a7f7 100644
--- a/mod/editwebpage.php
+++ b/mod/editwebpage.php
@@ -5,26 +5,50 @@ require_once('acl_selectors.php');
 
 function editwebpage_content(&$a) {
 
+// We first need to figure out who owns the webpage, grab it from an argument
+        $which = argv(1);
+
+// $a->get_channel() and stuff don't work here, so we've got to find the owner for ourselves.
+	$owner = q("select channel_id from channel where channel_address = '%s'",
+		dbesc($which)
+		);
+
+
+        if((local_user()) && (argc() > 2) && (argv(2) === 'view')) {
+                $which = $channel['channel_address'];
+        }
+
+
 	$o = '';
 
-	// We can do better, but for now, editing only works for your own pages, so...
-	if(! local_user()) {
-		notice( t('Permission denied.') . EOL);
-		return;
-	}
 
-	$post_id = ((argc() > 1) ? intval(argv(1)) : 0);
+// Figure out which post we're editing
+	$post_id = ((argc() > 2) ? intval(argv(2)) : 0);
+
 
 	if(! $post_id) {
 		notice( t('Item not found') . EOL);
 		return;
 	}
 
-	// uid and author_xchan alone should be enough - but it doesn't seem to be any more expensive to use both, so keep it in case of edge cases
-        $itm = q("SELECT * FROM `item` WHERE `id` = %d and uid = %s and author_xchan = '%s' LIMIT 1",
+// Now we've got a post and an owner, let's find out if we're allowed to edit it
+
+        $observer = $a->get_observer();
+        $ob_hash = (($observer) ? $observer['xchan_hash'] : '');
+
+        $perms = get_all_perms($owner,$ob_hash);
+
+        if(! $perms['write_pages']) {
+                notice( t('Permission denied.') . EOL);
+                return;
+        }
+
+
+
+// We've already figured out which item we want and whose copy we need, so we don't need anything fancy here
+        $itm = q("SELECT * FROM `item` WHERE `id` = %d and uid = %s LIMIT 1",
                 intval($post_id),
-                intval(local_user()),
-                dbesc(get_observer_hash())
+                intval($owner)
         );
 
 
@@ -61,9 +85,14 @@ function editwebpage_content(&$a) {
 
 	//$tpl = replace_macros($tpl,array('$jotplugins' => $jotplugins));	
 	
+//FIXME A return path with $_SESSION doesn't work for observer (at least, not here it doesn't).  It'll WSoD instead of loading a sensible page.  So, send folk 
+//back to the channel address until somebody figures out how to fix it - we can't send them back to webpages, because that could leak private pages they can't see
+//when ACL is done.
+
+	$rp = 'channel' . '/' . $which;
 
 	$o .= replace_macros($tpl,array(
-		'$return_path' => $_SESSION['return_url'],
+		'$return_path' => $rp,
 		'$action' => 'item',
 		'$share' => t('Edit'),
 		'$upload' => t('Upload photo'),
@@ -93,7 +122,7 @@ function editwebpage_content(&$a) {
 		'$lockstate' => $lockstate,
 		'$acl' => '', 
 		'$bang' => '',
-		'$profile_uid' => local_user(),
+		'$profile_uid' => (intval($owner)),
 		'$preview' => ((feature_enabled(local_user(),'preview')) ? t('Preview') : ''),
 		'$jotplugins' => $jotplugins,
 		'$sourceapp' => t($a->sourcename),
diff --git a/mod/events.php b/mod/events.php
index 44f7522ad..f43a99cba 100755
--- a/mod/events.php
+++ b/mod/events.php
@@ -135,6 +135,8 @@ function events_content(&$a) {
 		return;
 	}
 
+	nav_set_selected('all_events');
+
 	if((argc() > 2) && (argv(1) === 'ignore') && intval(argv(2))) {
 		$r = q("update event set ignore = 1 where id = %d and uid = %d limit 1",
 			intval(argv(2)),
diff --git a/mod/webpages.php b/mod/webpages.php
index cf6a99d1e..f2026ea0b 100644
--- a/mod/webpages.php
+++ b/mod/webpages.php
@@ -60,10 +60,12 @@ $r = q("select * from item_id where uid = %d and service = 'WEBPAGE'",
 		}
 
 
-
+//Build the base URL for edit links
+		$url = z_root() . "/editwebpage/" . $a->profile['channel_address']; 
 // This isn't pretty, but it works.  Until I figure out what to do with the UI, it's Good Enough(TM).
        return $o . replace_macros(get_markup_template("webpagelist.tpl"), array(
-		'$editlink' => t('Edit'),
+		'$baseurl' => $url,
+		'$edit' => t('Edit'),
 		'$pages' => $pages,
 		'$channel' => $a->profile['channel_address'],
 		'$view' => t('View'),