diff options
-rw-r--r-- | include/permissions.php | 2 | ||||
-rw-r--r-- | mod/item.php | 212 |
2 files changed, 97 insertions, 117 deletions
diff --git a/include/permissions.php b/include/permissions.php index 162f8a71c..d48e98c41 100644 --- a/include/permissions.php +++ b/include/permissions.php @@ -155,7 +155,7 @@ function get_all_perms($uid,$observer) { } -function perm_is_allowed($uid,$observer,$perm_to_check) { +function perm_is_allowed($uid,$observer,$permission) { global $global_perms; diff --git a/mod/item.php b/mod/item.php index 1373f48b6..94d11f4d6 100644 --- a/mod/item.php +++ b/mod/item.php @@ -28,8 +28,6 @@ function item_post(&$a) { if((! local_user()) && (! remote_user()) && (! x($_REQUEST,'commenter'))) return; - logger('get_perms: ' . print_r($a->get_perms(),true)); - require_once('include/security.php'); $uid = local_user(); @@ -61,6 +59,12 @@ function item_post(&$a) { $origin = (($api_source && array_key_exists('origin',$_REQUEST)) ? intval($_REQUEST['origin']) : 1); + + $profile_uid = ((x($_REQUEST,'profile_uid')) ? intval($_REQUEST['profile_uid']) : 0); + $post_id = ((x($_REQUEST,'post_id')) ? intval($_REQUEST['post_id']) : 0); + $app = ((x($_REQUEST,'source')) ? strip_tags($_REQUEST['source']) : ''); + + $return_path = ((x($_REQUEST,'return')) ? $_REQUEST['return'] : ''); $preview = ((x($_REQUEST,'preview')) ? intval($_REQUEST['preview']) : 0); $categories = ((x($_REQUEST['category'])) ? escape_tags($_REQUEST['category']) : ''); @@ -131,33 +135,10 @@ function item_post(&$a) { if($parent) logger('mod_item: item_post parent=' . $parent); - $profile_uid = ((x($_REQUEST,'profile_uid')) ? intval($_REQUEST['profile_uid']) : 0); - $post_id = ((x($_REQUEST,'post_id')) ? intval($_REQUEST['post_id']) : 0); - $app = ((x($_REQUEST,'source')) ? strip_tags($_REQUEST['source']) : ''); - - $allow_moderated = false; - - // here is where we are going to check for permission to post a moderated comment. + $observer = $a->get_observer(); - // First check that the parent exists and it is a wall item. - - if((x($_REQUEST,'commenter')) && ((! $parent) || (! ($parent_item['item_flags'] & ITEM_WALL)))) { - notice( t('Permission denied.') . EOL) ; - if(x($_REQUEST,'return')) - goaway($a->get_baseurl() . "/" . $return_path ); - killme(); - } - - // Now check that it is a page_type of PAGE_BLOG, and that valid personal details - // have been provided, and run any anti-spam plugins - - - // TODO - - - - - if((! can_write_wall($a,$profile_uid)) && (! $allow_moderated)) { + if(! perm_is_allowed($profile_uid,$observer['xchan_hash'],(($parent) ? 'post_comments' : 'post_wall'))) { + dbg(0); notice( t('Permission denied.') . EOL) ; if(x($_REQUEST,'return')) goaway($a->get_baseurl() . "/" . $return_path ); @@ -183,7 +164,6 @@ function item_post(&$a) { if(local_user() && local_user() == $profile_uid) { $channel = $a->get_channel(); - $observer = $a->get_observer(); } else { $r = q("SELECT channel.*, account.* FROM channel left join account on channel.channel_account_id = account.account_id @@ -263,11 +243,12 @@ function item_post(&$a) { $verb = notags(trim($_REQUEST['verb'])); $body = escape_tags(trim($_REQUEST['body'])); - $language = detect_language($body); - - logger('detected language: ' . $language); - - $private = ((strlen($str_group_allow) || strlen($str_contact_allow) || strlen($str_group_deny) || strlen($str_contact_deny)) ? 1 : 0); + $private = ( + ( strlen($str_group_allow) + || strlen($str_contact_allow) + || strlen($str_group_deny) + || strlen($str_contact_deny) + ) ? 1 : 0); // If this is a comment, set the permissions from the parent. @@ -375,75 +356,16 @@ function item_post(&$a) { * */ - $match = null; - - if((! $preview) && preg_match_all("/\[img\](.*?)\[\/img\]/",$body,$match)) { - $images = $match[1]; - if(count($images)) { - foreach($images as $image) { - if(! stristr($image,$a->get_baseurl() . '/photo/')) - continue; - $image_uri = substr($image,strrpos($image,'/') + 1); - $image_uri = substr($image_uri,0, strpos($image_uri,'-')); - if(! strlen($image_uri)) - continue; - $srch = '<' . $owner_xchan['xchan_hash'] . '>'; + if(! $preview) { + fix_attached_photo_permissions($profile_uid,$owner_xchan['xchan_hash'],$body, + $str_contact_allow,$str_group_allow,$str_contact_deny,$str_group_deny); - $r = q("SELECT `id` FROM `photo` WHERE `allow_cid` = '%s' AND `allow_gid` = '' AND `deny_cid` = '' AND `deny_gid` = '' - AND `resource_id` = '%s' AND `uid` = %d LIMIT 1", - dbesc($srch), - dbesc($image_uri), - intval($profile_uid) - ); + fix_attached_file_permissions($profile_uid,$owner_xchan['xchan_hash'],$body, + $str_contact_allow,$str_group_allow,$str_contact_deny,$str_group_deny); - if(! count($r)) - continue; - - - $r = q("UPDATE `photo` SET `allow_cid` = '%s', `allow_gid` = '%s', `deny_cid` = '%s', `deny_gid` = '%s' - WHERE `resource_id` = '%s' AND `uid` = %d AND `album` = '%s' ", - dbesc($str_contact_allow), - dbesc($str_group_allow), - dbesc($str_contact_deny), - dbesc($str_group_deny), - dbesc($image_uri), - intval($profile_uid), - dbesc( t('Wall Photos')) - ); - - } - } } - /** - * Next link in any attachment references we find in the post. - */ - - $match = false; - - if((! $preview) && preg_match_all("/\[attachment\](.*?)\[\/attachment\]/",$body,$match)) { - $attaches = $match[1]; - if(count($attaches)) { - foreach($attaches as $attach) { - $r = q("select * from attach where uid = %d and hash = '%s' limit 1", - intval($profile_uid), - dbesc($attach) - ); - if(count($r)) { - $r = q("UPDATE `attach` SET `allow_cid` = '%s', `allow_gid` = '%s', `deny_cid` = '%s', `deny_gid` = '%s' - WHERE `uid` = %d AND `hash` = '%s' LIMIT 1", - dbesc($str_contact_allow), - dbesc($str_group_allow), - dbesc($str_contact_deny), - dbesc($str_group_deny), - intval($profile_uid), - dbesc($attach) - ); - } - } - } - } $body = bb_translate_video($body); @@ -518,7 +440,7 @@ function item_post(&$a) { } } - logger('post_tags: ' . print_r($post_tags,true)); +// logger('post_tags: ' . print_r($post_tags,true)); if(($private_forum) && (! $parent) && (! $private)) { // we tagged a private forum in a top level post and the message was public. @@ -597,7 +519,6 @@ function item_post(&$a) { $datarray['title'] = $title; $datarray['body'] = $body; $datarray['app'] = $app; - $datarray['lang'] = $language; $datarray['location'] = $location; $datarray['coord'] = $coord; $datarray['inform'] = $inform; @@ -625,22 +546,6 @@ function item_post(&$a) { killme(); } - // post owner can post in any language they wish; others however are subject to the owner's whims about language acceptance - - if($profile_uid != local_user()) { - $allowed_languages = get_pconfig($profile_uid,'system','allowed_languages'); - - if((is_array($allowed_languages)) && ($datarray['lang']) && (! array_key_exists($datarray['lang'],$allowed_languages))) { - $translate = array('item' => $datarray, 'from' => $datarray['lang'], 'to' => $allowed_languages, 'translated' => false); - call_hooks('item_translate', $translate); - if((! $translate['translated']) && (intval(get_pconfig($profile_uid,'system','reject_disallowed_languages')))) { - logger('item_store: language ' . $datarray['lang'] . ' not accepted for uid ' . $datarray['uid']); - return; - } - $datarray = $translate['item']; - } - } - call_hooks('post_local',$datarray); if(x($datarray,'cancel')) { @@ -1023,3 +928,78 @@ function handle_tag($a, &$body, &$inform, &$str_tags, $profile_uid, $tag) { } + +function fix_attached_photo_permissions($uid,$xchan_hash,$body, + $str_contact_allow,$str_group_allow,$str_contact_deny,$str_group_deny) { + + $match = null; + + if(preg_match_all("/\[img\](.*?)\[\/img\]/",$body,$match)) { + $images = $match[1]; + if($images) { + foreach($images as $image) { + if(! stristr($image,$a->get_baseurl() . '/photo/')) + continue; + $image_uri = substr($image,strrpos($image,'/') + 1); + $image_uri = substr($image_uri,0, strpos($image_uri,'-')); + if(! strlen($image_uri)) + continue; + $srch = '<' . $xchan_hash . '>'; + + $r = q("SELECT id FROM photo + WHERE allow_cid = '%s' AND allow_gid = '' AND deny_cid = '' AND deny_gid = '' + AND resource_id = '%s' AND uid = %d LIMIT 1", + dbesc($srch), + dbesc($image_uri), + intval($uid) + ); + + if($r) { + $r = q("UPDATE photo SET allow_cid = '%s', allow_gid = '%s', deny_cid = '%s', deny_gid = '%s' + WHERE resource_id = '%s' AND uid = %d AND album = '%s' ", + dbesc($str_contact_allow), + dbesc($str_group_allow), + dbesc($str_contact_deny), + dbesc($str_group_deny), + dbesc($image_uri), + intval($uid), + dbesc( t('Wall Photos')) + ); + } + } + } + } +} + + +function fix_attached_file_permissions($uid,$xchan_hash,$body, + $str_contact_allow,$str_group_allow,$str_contact_deny,$str_group_deny) { + + $match = false; + + if(preg_match_all("/\[attachment\](.*?)\[\/attachment\]/",$body,$match)) { + $attaches = $match[1]; + if($attaches) { + foreach($attaches as $attach) { + $r = q("select * from attach where uid = %d and hash = '%s' + and allow_cid = '%s' and allow_gid = '' and deny_cid = '' and deny_gid = '' limit 1", + intval($uid), + dbesc($attach), + dbesc('<' . $xchan_hash . '>') + ); + if($r) { + $r = q("UPDATE attach + SET allow_cid = '%s', allow_gid = '%s', deny_cid = '%s', deny_gid = '%s' + WHERE uid = %d AND hash = '%s' LIMIT 1", + dbesc($str_contact_allow), + dbesc($str_group_allow), + dbesc($str_contact_deny), + dbesc($str_group_deny), + intval($uid), + dbesc($attach) + ); + } + } + } + } +} |