aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xboot.php2
-rw-r--r--include/attach.php20
-rw-r--r--include/reddav.php12
-rw-r--r--install/database.sql2
-rw-r--r--install/update.php11
5 files changed, 35 insertions, 12 deletions
diff --git a/boot.php b/boot.php
index 79f1b4f79..b518aa1e0 100755
--- a/boot.php
+++ b/boot.php
@@ -46,7 +46,7 @@ define ( 'RED_PLATFORM', 'Red Matrix' );
define ( 'RED_VERSION', trim(file_get_contents('version.inc')) . 'R');
define ( 'ZOT_REVISION', 1 );
-define ( 'DB_UPDATE_VERSION', 1089 );
+define ( 'DB_UPDATE_VERSION', 1090 );
define ( 'EOL', '<br />' . "\r\n" );
define ( 'ATOM_TIME', 'Y-m-d\TH:i:s\Z' );
diff --git a/include/attach.php b/include/attach.php
index f2f889fd7..3524193a6 100644
--- a/include/attach.php
+++ b/include/attach.php
@@ -237,7 +237,7 @@ function attach_by_hash_nodata($hash,$rev = 0) {
// Now we'll see if we can access the attachment
- $r = q("select id, aid, uid, hash, filename, filetype, filesize, revision, folder, flags, created, edited, allow_cid, allow_gid, deny_cid, deny_gid from attach where uid = %d and hash = '%s' $sql_extra limit 1",
+ $r = q("select id, aid, uid, hash, creator, filename, filetype, filesize, revision, folder, flags, created, edited, allow_cid, allow_gid, deny_cid, deny_gid from attach where uid = %d and hash = '%s' $sql_extra limit 1",
intval($r[0]['uid']),
dbesc($hash)
);
@@ -358,11 +358,12 @@ function attach_store($channel,$observer_hash,$options = '',$arr = null) {
);
}
elseif($options === 'revise') {
- $r = q("insert into attach ( aid, uid, hash, filename, filetype, filesize, revision, data, created, edited, allow_cid, allow_gid, deny_cid, deny_gid )
- VALUES ( %d, %d, '%s', '%s', '%s', %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ",
+ $r = q("insert into attach ( aid, uid, hash, creator, filename, filetype, filesize, revision, data, created, edited, allow_cid, allow_gid, deny_cid, deny_gid )
+ VALUES ( %d, %d, '%s', '%s', '%s', '%s', %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ",
intval($x[0]['aid']),
intval($channel_id),
dbesc($x[0]['hash']),
+ dbesc(get_observer_hash()),
dbesc($filename),
dbesc($mimetype),
intval($filesize),
@@ -393,11 +394,12 @@ function attach_store($channel,$observer_hash,$options = '',$arr = null) {
}
else {
- $r = q("INSERT INTO attach ( aid, uid, hash, filename, filetype, filesize, revision, data, created, edited, allow_cid, allow_gid,deny_cid, deny_gid )
- VALUES ( %d, %d, '%s', '%s', '%s', %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ",
+ $r = q("INSERT INTO attach ( aid, uid, hash, creator, filename, filetype, filesize, revision, data, created, edited, allow_cid, allow_gid,deny_cid, deny_gid )
+ VALUES ( %d, %d, '%s', '%s', '%s', '%s', %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ",
intval($channel['channel_account_id']),
intval($channel_id),
dbesc($hash),
+ dbesc(get_observer_hash()),
dbesc($filename),
dbesc($mimetype),
intval($filesize),
@@ -422,7 +424,7 @@ function attach_store($channel,$observer_hash,$options = '',$arr = null) {
// Caution: This re-uses $sql_options set further above
- $r = q("select id, aid, uid, hash, filename, filetype, filesize, revision, folder, flags, created, edited, allow_cid, allow_gid, deny_cid, deny_gid from attach where uid = %d and hash = '%s' $sql_options limit 1",
+ $r = q("select id, aid, uid, hash, creator, filename, filetype, filesize, revision, folder, flags, created, edited, allow_cid, allow_gid, deny_cid, deny_gid from attach where uid = %d and hash = '%s' $sql_options limit 1",
intval($channel_id),
dbesc($hash)
);
@@ -482,7 +484,7 @@ function z_readdir($channel_id,$observer_hash,$pathname, $parent_hash = '') {
else
$paths = array($pathname);
- $r = q("select id, aid, uid, hash, filename, filetype, filesize, revision, folder, flags, created, edited, allow_cid, allow_gid, deny_cid, deny_gid from attach where id = %d and folder = '%s' and filename = '%s' and (flags & %d ) " . permissions_sql($channel_id),
+ $r = q("select id, aid, uid, hash, creator, filename, filetype, filesize, revision, folder, flags, created, edited, allow_cid, allow_gid, deny_cid, deny_gid from attach where id = %d and folder = '%s' and filename = '%s' and (flags & %d ) " . permissions_sql($channel_id),
intval($channel_id),
dbesc($parent_hash),
dbesc($paths[0]),
@@ -599,11 +601,12 @@ function attach_mkdir($channel,$observer_hash,$arr = null) {
$created = datetime_convert();
- $r = q("INSERT INTO attach ( aid, uid, hash, filename, filetype, filesize, revision, folder, flags, data, created, edited, allow_cid, allow_gid, deny_cid, deny_gid )
+ $r = q("INSERT INTO attach ( aid, uid, hash, creator, filename, filetype, filesize, revision, folder, flags, data, created, edited, allow_cid, allow_gid, deny_cid, deny_gid )
VALUES ( %d, %d, '%s', '%s', '%s', %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ",
intval($channel['channel_account_id']),
intval($channel_id),
dbesc($arr['hash']),
+ dbesc(get_observer_hash()),
dbesc($arr['filename']),
dbesc('multipart/mixed'),
intval(0),
@@ -690,6 +693,7 @@ function attach_delete($channel_id,$resource) {
intval($channel_id)
);
+
if(! $r)
return;
diff --git a/include/reddav.php b/include/reddav.php
index 24eca9e81..2aedeed04 100644
--- a/include/reddav.php
+++ b/include/reddav.php
@@ -115,11 +115,12 @@ class RedDirectory extends DAV\Node implements DAV\ICollection {
$filesize = 0;
$hash = random_string();
- $r = q("INSERT INTO attach ( aid, uid, hash, filename, folder, flags, filetype, filesize, revision, data, created, edited, allow_cid, allow_gid, deny_cid, deny_gid )
- VALUES ( %d, %d, '%s', '%s', '%s', '%s', '%s', %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ",
+ $r = q("INSERT INTO attach ( aid, uid, hash, creator, filename, folder, flags, filetype, filesize, revision, data, created, edited, allow_cid, allow_gid, deny_cid, deny_gid )
+ VALUES ( %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ",
intval($c[0]['channel_account_id']),
intval($c[0]['channel_id']),
dbesc($hash),
+ dbesc($this->auth->observer),
dbesc($name),
dbesc($this->folder_hash),
dbesc(ATTACH_FLAG_OS),
@@ -415,6 +416,13 @@ class RedFile extends DAV\Node implements DAV\IFile {
return;
}
+ if($this->auth->owner_id !== $this->auth->channel_id) {
+ if(($this->auth->observer !== $this->data['creator']) || ($this->data['flags'] & ATTACH_FLAG_DIR)) {
+ throw new DAV\Exception\Forbidden('Permission denied.');
+ return;
+ }
+ }
+
attach_delete($this->auth->owner_id,$this->data['hash']);
}
diff --git a/install/database.sql b/install/database.sql
index ac8382162..d28128795 100644
--- a/install/database.sql
+++ b/install/database.sql
@@ -87,6 +87,7 @@ CREATE TABLE IF NOT EXISTS `attach` (
`aid` int(10) unsigned NOT NULL DEFAULT '0',
`uid` int(10) unsigned NOT NULL DEFAULT '0',
`hash` char(64) NOT NULL DEFAULT '',
+ `creator` char(128) NOT NULL DEFAULT '0',
`filename` char(255) NOT NULL DEFAULT '',
`filetype` char(64) NOT NULL DEFAULT '',
`filesize` int(10) unsigned NOT NULL DEFAULT '0',
@@ -104,6 +105,7 @@ CREATE TABLE IF NOT EXISTS `attach` (
KEY `aid` (`aid`),
KEY `uid` (`uid`),
KEY `hash` (`hash`),
+ KEY `creator` (`creator`),
KEY `filename` (`filename`),
KEY `filetype` (`filetype`),
KEY `filesize` (`filesize`),
diff --git a/install/update.php b/install/update.php
index 5025222a6..3e04df51b 100644
--- a/install/update.php
+++ b/install/update.php
@@ -1,6 +1,6 @@
<?php
-define( 'UPDATE_VERSION' , 1089 );
+define( 'UPDATE_VERSION' , 1090 );
/**
*
@@ -977,3 +977,12 @@ ADD `deny_gid` MEDIUMTEXT NOT NULL DEFAULT ''");
return UPDATE_FAILED;
}
+function update_r1089() {
+ $r = q("ALTER TABLE `attach` ADD `creator` CHAR( 128 ) NOT NULL DEFAULT '' AFTER `hash` ,
+ADD INDEX ( `creator` ) ");
+ if($r)
+ return UPDATE_SUCCESS;
+ return UPDATE_FAILED;
+}
+
+