diff options
| -rw-r--r-- | Zotlabs/Module/Impel.php | 14 | ||||
| -rw-r--r-- | Zotlabs/Module/Item.php | 13 | ||||
| -rwxr-xr-x | boot.php | 1 | ||||
| -rw-r--r-- | doc/database/db_account.bb | 1 | ||||
| -rw-r--r-- | include/channel.php | 17 | ||||
| -rw-r--r-- | include/import.php | 34 | ||||
| -rw-r--r-- | include/text.php | 26 |
7 files changed, 28 insertions, 78 deletions
diff --git a/Zotlabs/Module/Impel.php b/Zotlabs/Module/Impel.php index 197d9f859..77f488d26 100644 --- a/Zotlabs/Module/Impel.php +++ b/Zotlabs/Module/Impel.php @@ -144,18 +144,8 @@ class Impel extends \Zotlabs\Web\Controller { // Verify ability to use html or php!!! - $execflag = false; - - if($arr['mimetype'] === 'application/x-php') { - $z = q("select account_id, account_roles, channel_pageflags from account left join channel on channel_account_id = account_id where channel_id = %d limit 1", - intval(local_channel()) - ); - - if($z && (($z[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE) || ($z[0]['channel_pageflags'] & PAGE_ALLOWCODE))) { - $execflag = true; - } - } - + $execflag = ((intval($channel['channel_id']) == intval(local_channel()) && ($channel['channel_pageflags'] & PAGE_ALLOWCODE)) ? true : false); + $i = q("select id, edited, item_deleted from item where mid = '%s' and uid = %d limit 1", dbesc($arr['mid']), intval(local_channel()) diff --git a/Zotlabs/Module/Item.php b/Zotlabs/Module/Item.php index 6f54d3bb1..43cf535a4 100644 --- a/Zotlabs/Module/Item.php +++ b/Zotlabs/Module/Item.php @@ -478,17 +478,8 @@ class Item extends \Zotlabs\Web\Controller { // Verify ability to use html or php!!! - $execflag = false; - - $z = q("select account_id, account_roles, channel_pageflags from account left join channel on channel_account_id = account_id where channel_id = %d limit 1", - intval($profile_uid) - ); - if($z && (($z[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE) || ($z[0]['channel_pageflags'] & PAGE_ALLOWCODE))) { - if($uid && (get_account_id() == $z[0]['account_id'])) { - $execflag = true; - } - } - + $execflag = ((intval($channel['channel_id']) == intval($profile_uid) && ($channel['channel_pageflags'] & PAGE_ALLOWCODE)) ? true : false); + $gacl = $acl->get(); $str_contact_allow = $gacl['allow_cid']; $str_group_allow = $gacl['allow_gid']; @@ -549,7 +549,6 @@ define ( 'ACCOUNT_PENDING', 0x0010 ); * Account roles */ -define ( 'ACCOUNT_ROLE_ALLOWCODE', 0x0001 ); define ( 'ACCOUNT_ROLE_SYSTEM', 0x0002 ); define ( 'ACCOUNT_ROLE_DEVELOPER', 0x0004 ); define ( 'ACCOUNT_ROLE_ADMIN', 0x1000 ); diff --git a/doc/database/db_account.bb b/doc/database/db_account.bb index 354f2d3a8..35d7a9eb3 100644 --- a/doc/database/db_account.bb +++ b/doc/database/db_account.bb @@ -58,7 +58,6 @@ define ( 'ACCOUNT_PENDING', 0x0010 ); * Account roles */ -define ( 'ACCOUNT_ROLE_ALLOWCODE', 0x0001 ); // 1 - this account can create content with PHP/Javascript define ( 'ACCOUNT_ROLE_SYSTEM', 0x0002 ); // 2 - this is the special system account define ( 'ACCOUNT_ROLE_DEVELOPER', 0x0004 ); define ( 'ACCOUNT_ROLE_ADMIN', 0x1000 ); // 4096 - this account is an administrator diff --git a/include/channel.php b/include/channel.php index 7cf78cb8b..f88a2f8aa 100644 --- a/include/channel.php +++ b/include/channel.php @@ -2247,3 +2247,20 @@ function channel_remove($channel_id, $local = true, $unset_session=false) { } } + +/* + * This checks if a channel is allowed to publish executable code. + * It is up to the caller to determine if the observer or local_channel + * is in fact the resource owner whose channel_id is being checked + */ + +function channel_codeallowed($channel_id) { + + if(! intval($channel_id)) + return false; + + $x = channelx_by_n($channel_id); + if(($x) && ($x['channel_pageflags'] & PAGE_ALLOWCODE)) + return true; + return false; +}
\ No newline at end of file diff --git a/include/import.php b/include/import.php index ac634639e..d0e15c89d 100644 --- a/include/import.php +++ b/include/import.php @@ -528,16 +528,8 @@ function sync_chatrooms($channel,$chatrooms) { function import_items($channel,$items,$sync = false,$relocate = null) { if($channel && $items) { - $allow_code = false; - $r = q("select account_id, account_roles, channel_pageflags from account left join channel on channel_account_id = account_id - where channel_id = %d limit 1", - intval($channel['channel_id']) - ); - if($r) { - if(($r[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE) || ($r[0]['channel_pageflags'] & PAGE_ALLOWCODE)) { - $allow_code = true; - } - } + + $allow_code = channel_codeallowed($channel['channel_id']); $deliver = false; // Don't deliver any messages or notifications when importing @@ -1352,28 +1344,8 @@ function import_webpage_element($element, $channel, $type) { } // Verify ability to use html or php!!! - $execflag = false; - if($arr['mimetype'] === 'application/x-php' || $arr['mimetype'] === 'text/html') { - $z = q("select account_id, account_roles, channel_pageflags from account " - . "left join channel on channel_account_id = account_id where channel_id = %d limit 1", - intval(local_channel()) - ); - if($z && (($z[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE) || ($z[0]['channel_pageflags'] & PAGE_ALLOWCODE))) { - $execflag = true; - } - else { - logger('Unable to import element "' . $name .'" because AllowCode permission is denied.'); - notice( t('Unable to import element "' . $name .'" because AllowCode permission is denied.') . EOL); - $element['import_success'] = 0; - return $element; - } - } - -// $z = q("select * from iconfig where v = '%s' and k = '%s' and cat = 'system' limit 1", -// dbesc($name), -// dbesc($namespace) -// ); + $execflag = channel_codeallowed(local_channel()); $i = q("select id, edited, item_deleted from item where mid = '%s' and uid = %d limit 1", dbesc($arr['mid']), diff --git a/include/text.php b/include/text.php index 911334a15..14ca19cef 100644 --- a/include/text.php +++ b/include/text.php @@ -104,15 +104,11 @@ function z_input_filter($channel_id,$s,$type = 'text/bbcode') { return $s; } - $r = q("select account_id, account_roles, channel_pageflags from account left join channel on channel_account_id = account_id where channel_id = %d limit 1", + $r = q("select channel_pageflags from channel where channel_id = %d limit 1", intval($channel_id) ); - if($r) { - if(($r[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE) || ($r[0]['channel_pageflags'] & PAGE_ALLOWCODE)) { - if(local_channel() && (get_account_id() == $r[0]['account_id'])) { - return $s; - } - } + if(($r) && (local_channel() == $channel_id) && ($r[0]['channel_pageflags'] & PAGE_ALLOWCODE)) { + return $s; } if($type === 'text/html') @@ -1812,23 +1808,9 @@ function mimetype_select($channel_id, $current = 'text/bbcode') { ); - if(App::$is_sys) { + if((App::$is_sys) || (channel_codeallowed($channel_id) && $channel_id == local_channel())){ $x[] = 'application/x-php'; } - else { - $r = q("select account_id, account_roles, channel_pageflags from account left join channel on account_id = channel_account_id where - channel_id = %d limit 1", - intval($channel_id) - ); - - if($r) { - if(($r[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE) || ($r[0]['channel_pageflags'] & PAGE_ALLOWCODE)) { - if(local_channel() && get_account_id() == $r[0]['account_id']) { - $x[] = 'application/x-php'; - } - } - } - } foreach($x as $y) { $selected = (($y == $current) ? ' selected="selected" ' : ''); |