diff options
| -rw-r--r-- | Zotlabs/Zot/Auth.php | 11 | ||||
| -rw-r--r-- | include/security.php | 18 | ||||
| -rw-r--r-- | mod/admin.php | 11 | ||||
| -rw-r--r-- | view/js/acl.js | 10 | ||||
| m--------- | zot | 5 |
5 files changed, 28 insertions, 27 deletions
diff --git a/Zotlabs/Zot/Auth.php b/Zotlabs/Zot/Auth.php index 07879fbd9..fed253923 100644 --- a/Zotlabs/Zot/Auth.php +++ b/Zotlabs/Zot/Auth.php @@ -102,12 +102,8 @@ class Auth { function Verify($channel,$hubloc) { - logger('auth request received from ' . $hubloc['hubloc_addr'] ); - - // check credentials and access - // If they are already authenticated and haven't changed credentials, - // we can save an expensive network round trip and improve performance. + logger('auth request received from ' . $hubloc['hubloc_addr'] ); $this->remote = remote_channel(); $this->remote_service_class = ''; @@ -115,6 +111,11 @@ class Auth { $this->remote_hub = $hubloc['hubloc_url']; $this->dnt = 0; + // check credentials and access + + // If they are already authenticated and haven't changed credentials, + // we can save an expensive network round trip and improve performance. + // Also check that they are coming from the same site as they authenticated with originally. $already_authed = (((remote_channel()) && ($hubloc['hubloc_hash'] == remote_channel()) diff --git a/include/security.php b/include/security.php index 9a25d9e0e..d4ebe0024 100644 --- a/include/security.php +++ b/include/security.php @@ -93,6 +93,7 @@ function change_channel($change_channel) { $ret = false; if($change_channel) { + $r = q("select channel.*, xchan.* from channel left join xchan on channel.channel_hash = xchan.xchan_hash where channel_id = %d and channel_account_id = %d and channel_removed = 0 limit 1", intval($change_channel), intval(get_account_id()) @@ -136,14 +137,14 @@ function change_channel($change_channel) { } /** - * @brief Creates an addiontal SQL where statement to check permissions. + * @brief Creates an additional SQL where statement to check permissions. * * @param int $owner_id - * @param bool $remote_verified default false, not used at all - * @param string $groups this param is not used at all + * @param bool $remote_observer - if unset use current observer * * @return string additional SQL where statement */ + function permissions_sql($owner_id, $remote_observer = null) { $local_channel = local_channel(); @@ -208,8 +209,7 @@ function permissions_sql($owner_id, $remote_observer = null) { * @brief Creates an addiontal SQL where statement to check permissions for an item. * * @param int $owner_id - * @param bool $remote_verified default false, not used at all - * @param string $groups this param is not used at all + * @param bool $remote_observer, use current observer if unset * * @return string additional SQL where statement */ @@ -400,11 +400,9 @@ function check_form_security_token_ForbiddenOnErr($typename = '', $formname = 'f } -// Returns an array of group id's this contact is a member of. -// This array will only contain group id's related to the uid of this -// DFRN contact. They are *not* neccessarily unique across the entire site. +// Returns an array of group hash id's on this entire site (across all channels) that this connection is a member of. +// var $contact_id = xchan_hash of connection -if(! function_exists('init_groups_visitor')) { function init_groups_visitor($contact_id) { $groups = array(); $r = q("SELECT hash FROM `groups` left join group_member on groups.id = group_member.gid WHERE xchan = '%s' ", @@ -415,7 +413,7 @@ function init_groups_visitor($contact_id) { $groups[] = $rr['hash']; } return $groups; -}} +} diff --git a/mod/admin.php b/mod/admin.php index 4b7cb3cd9..bac0148e0 100644 --- a/mod/admin.php +++ b/mod/admin.php @@ -243,7 +243,7 @@ function admin_page_site_post(&$a){ $not_allowed_email = ((x($_POST,'not_allowed_email')) ? notags(trim($_POST['not_allowed_email'])) : ''); $block_public = ((x($_POST,'block_public')) ? True : False); $force_publish = ((x($_POST,'publish_all')) ? True : False); - $disable_discover_tab = ((x($_POST,'disable_discover_tab')) ? True : False); + $disable_discover_tab = ((x($_POST,'disable_discover_tab')) ? False : True); $login_on_homepage = ((x($_POST,'login_on_homepage')) ? True : False); $global_directory = ((x($_POST,'directory_submit_url')) ? notags(trim($_POST['directory_submit_url'])) : ''); $no_community_page = !((x($_POST,'no_community_page')) ? True : False); @@ -425,6 +425,13 @@ function admin_page_site(&$a) { // SSL_POLICY_FULL => t("Force all links to use SSL") // ); + $discover_tab = get_config('system','disable_discover_tab'); + // $disable public streams by default + if($discover_tab === false) + $discover_tab = 1; + // now invert the logic for the setting. + $discover_tab = (1 - $discover_tab); + $homelogin = get_config('system','login_on_homepage'); @@ -461,7 +468,7 @@ function admin_page_site(&$a) { '$block_public' => array('block_public', t("Block public"), get_config('system','block_public'), t("Check to block public access to all otherwise public personal pages on this site unless you are currently logged in.")), '$verify_email' => array('verify_email', t("Verify Email Addresses"), get_config('system','verify_email'), t("Check to verify email addresses used in account registration (recommended).")), '$force_publish' => array('publish_all', t("Force publish"), get_config('system','publish_all'), t("Check to force all profiles on this site to be listed in the site directory.")), - '$disable_discover_tab' => array('disable_discover_tab', t("Disable discovery tab"), get_config('system','disable_discover_tab'), t("Remove the tab in the network view with public content pulled from sources chosen for this site.")), + '$disable_discover_tab' => array('disable_discover_tab', t('Import Public Streams'), $discover_tab, t('Import and allow access to public content pulled from other sites. Warning: this content is unmoderated.')), '$login_on_homepage' => array('login_on_homepage', t("login on Homepage"),((intval($homelogin) || $homelogin === false) ? 1 : '') , t("Present a login box to visitors on the home page if no other content has been configured.")), '$directory_server' => (($dir_choices) ? array('directory_server', t("Directory Server URL"), get_config('system','directory_server'), t("Default directory server"), $dir_choices) : null), diff --git a/view/js/acl.js b/view/js/acl.js index ed8af478a..6d94b4987 100644 --- a/view/js/acl.js +++ b/view/js/acl.js @@ -39,18 +39,18 @@ function ACL(backend_url, preset) { // no longer called only on submit - call to update whenever a change occurs to the acl list. ACL.prototype.on_submit = function() { - aclfileds = $("#acl-fields").html(""); + aclfields = $("#acl-fields").html(""); $(that.allow_gid).each(function(i,v) { - aclfileds.append("<input type='hidden' name='group_allow[]' value='"+v+"'>"); + aclfields.append("<input type='hidden' name='group_allow[]' value='"+v+"'>"); }); $(that.allow_cid).each(function(i,v) { - aclfileds.append("<input type='hidden' name='contact_allow[]' value='"+v+"'>"); + aclfields.append("<input type='hidden' name='contact_allow[]' value='"+v+"'>"); }); $(that.deny_gid).each(function(i,v) { - aclfileds.append("<input type='hidden' name='group_deny[]' value='"+v+"'>"); + aclfields.append("<input type='hidden' name='group_deny[]' value='"+v+"'>"); }); $(that.deny_cid).each(function(i,v) { - aclfileds.append("<input type='hidden' name='contact_deny[]' value='"+v+"'>"); + aclfields.append("<input type='hidden' name='contact_deny[]' value='"+v+"'>"); }); //areYouSure jquery plugin: recheck the form here diff --git a/zot b/zot deleted file mode 160000 -Subproject d94e61a7b627381715751fb6cb6c0cecf7ece3f |