diff options
-rw-r--r-- | include/conversation.php | 5 | ||||
-rw-r--r-- | include/security.php | 40 | ||||
-rw-r--r-- | js/main.js | 8 | ||||
-rw-r--r-- | mod/channel.php | 1 | ||||
-rw-r--r-- | mod/display.php | 196 | ||||
-rw-r--r-- | mod/network.php | 1 | ||||
-rw-r--r-- | mod/search.php | 3 | ||||
-rw-r--r-- | mod/update_display.php | 39 | ||||
-rw-r--r-- | view/tpl/build_query.tpl | 2 | ||||
-rw-r--r-- | view/tpl/rmagic.tpl | 11 | ||||
-rw-r--r-- | view/tpl/smarty3/build_query.tpl | 2 | ||||
-rw-r--r-- | view/tpl/smarty3/rmagic.tpl | 16 |
12 files changed, 207 insertions, 117 deletions
diff --git a/include/conversation.php b/include/conversation.php index 4758721a5..fe4ac54f5 100644 --- a/include/conversation.php +++ b/include/conversation.php @@ -409,6 +409,7 @@ function conversation(&$a, $items, $mode, $update, $page_mode = 'traditional') { . ((x($_GET,'cmin')) ? '&cmin=' . $_GET['cmin'] : '') . ((x($_GET,'cmax')) ? '&cmax=' . $_GET['cmax'] : '') . ((x($_GET,'file')) ? '&file=' . $_GET['file'] : '') + . ((x($_GET,'uri')) ? '&uri=' . $_GET['uri'] : '') . "'; var profile_page = " . $a->pager['page'] . "; </script>\r\n"; } @@ -435,8 +436,8 @@ function conversation(&$a, $items, $mode, $update, $page_mode = 'traditional') { } elseif($mode === 'display') { - $profile_owner = $a->profile['uid']; - $page_writeable = ($profile_owner == local_user()); + $profile_owner = local_user(); + $page_writeable = false; $live_update_div = '<div id="live-display"></div>' . "\r\n"; diff --git a/include/security.php b/include/security.php index 9f4058f88..8477ea6de 100644 --- a/include/security.php +++ b/include/security.php @@ -214,13 +214,13 @@ function permissions_sql($owner_id,$remote_verified = false,$groups = null) { $gs .= '|<' . $g . '>'; } $sql = sprintf( - " AND ( NOT (deny_cid like '<%s>' OR deny_gid REGEXP '%s') - AND ( allow_cid like '<%s>' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) + " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s') + AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) ) ", - dbesc(protect_sprintf( '%' . $remote_user . '%')), + dbesc(protect_sprintf( '%<' . $remote_user . '>%')), dbesc($gs), - dbesc(protect_sprintf( '%' . $remote_user . '%')), + dbesc(protect_sprintf( '%<' . $remote_user . '>%')), dbesc($gs) ); } @@ -269,19 +269,43 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null) $gs .= '|<' . $g . '>'; } $sql = sprintf( - " AND ( NOT (deny_cid like '<%s>' OR deny_gid REGEXP '%s') - AND ( allow_cid like '<%s>' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) + " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s') + AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) ) ", - dbesc(protect_sprintf( '%' . $remote_user . '%')), + dbesc(protect_sprintf( '%<' . $remote_user . '>%')), dbesc($gs), - dbesc(protect_sprintf( '%' . $remote_user . '%')), + dbesc(protect_sprintf( '%<' . $remote_user . '>%')), dbesc($gs) ); } return $sql; } +function public_permissions_sql($observer_hash) { + + $observer = get_app()->get_observer(); + $groups = init_groups_visitor($observer_hash); + + $gs = '<<>>'; // should be impossible to match + + if(is_array($groups) && count($groups)) { + foreach($groups as $g) + $gs .= '|<' . $g . '>'; + } + $sql = sprintf( + " OR (( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s') + AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) + )) + ", + dbesc(protect_sprintf( '%<' . $observer_hash . '>%')), + dbesc($gs), + dbesc(protect_sprintf( '%<' . $observer_hash . '>%')), + dbesc($gs) + ); + + return $sql; +} /* diff --git a/js/main.js b/js/main.js index 6c5095087..ed8d4ec3f 100644 --- a/js/main.js +++ b/js/main.js @@ -269,12 +269,8 @@ if($('#live-network').length) { src = 'network'; liveUpdate(); } if($('#live-channel').length) { src = 'channel'; liveUpdate(); } if($('#live-community').length) { src = 'community'; liveUpdate(); } - if($('#live-display').length) { - if(liking) { - liking = 0; - window.location.href=window.location.href - } - } + if($('#live-display').length) { src = 'display'; liveUpdate(); } + if($('#live-photos').length) { if(liking) { liking = 0; diff --git a/mod/channel.php b/mod/channel.php index f3e247399..7869e54db 100644 --- a/mod/channel.php +++ b/mod/channel.php @@ -247,6 +247,7 @@ function channel_content(&$a, $update = 0, $load = false) { '$order' => '', '$file' => '', '$cats' => (($category) ? $category : ''), + '$uri' => '', '$dend' => $datequery, '$dbegin' => $datequery2 )); diff --git a/mod/display.php b/mod/display.php index 1fdac9c2c..2ececb262 100644 --- a/mod/display.php +++ b/mod/display.php @@ -1,7 +1,7 @@ <?php -function display_content(&$a) { +function display_content(&$a, $update = 0, $load = false) { if(intval(get_config('system','block_public')) && (! local_user()) && (! remote_user())) { notice( t('Public access denied.') . EOL); @@ -14,13 +14,16 @@ function display_content(&$a) { require_once('include/acl_selectors.php'); require_once('include/items.php'); - $o = '<div id="live-display"></div>' . "\r\n"; +// $o = '<div id="live-display"></div>' . "\r\n"; $a->page['htmlhead'] .= replace_macros(get_markup_template('display-head.tpl'), array()); - if(argc() > 1) + if(argc() > 1 && argv(1) !== 'load') $item_hash = argv(1); + if($_REQUEST['uri']) + $item_hash = $_REQUEST['uri']; + if(! $item_hash) { $a->error = 404; @@ -37,135 +40,128 @@ function display_content(&$a) { // and if that fails, look for a copy of the post that has no privacy restrictions. // If we find the post, but we don't find a copy that we're allowed to look at, this fact needs to be reported. -// FIXME - on the short term, we'll only do the first query. + // find a copy of the item somewhere $target_item = null; - - if(local_user()) { - $r = q("select * from item where uri = '%s' and uid = %d limit 1", - dbesc($item_hash), - intval(local_user()) - ); - if($r) { - $owner = local_user(); - $observer_is_owner = true; - $target_item = $r[0]; - } +dbg(1); + $r = q("select uri, parent_uri from item where uri = '%s' limit 1", + dbesc($item_hash) + ); +dbg(0); + if($r) { + $target_item = $r[0]; } + if((! $update) && (! $load)) { + + + $o .= '<div id="live-display"></div>' . "\r\n"; + $o .= "<script> var profile_uid = " . intval(local_user()) + . "; var netargs = '?f='; var profile_page = " . $a->pager['page'] . "; </script>\r\n"; + + $a->page['htmlhead'] .= replace_macros(get_markup_template("build_query.tpl"),array( + '$baseurl' => z_root(), + '$pgtype' => 'display', + '$uid' => '0', + '$gid' => '0', + '$cid' => '0', + '$cmin' => '0', + '$cmax' => '99', + '$star' => '0', + '$liked' => '0', + '$conv' => '0', + '$spam' => '0', + '$nouveau' => '0', + '$wall' => '0', + '$page' => (($a->pager['page'] != 1) ? $a->pager['page'] : 1), + '$search' => '', + '$order' => '', + '$file' => '', + '$cats' => '', + '$dend' => '', + '$dbegin' => '', + '$uri' => $item_hash + )); - // Checking for visitors is a bit harder, we'll look for this item from any of their friends that they've auth'd - // against and see if any of them are writeable. - // This will be messy. -// $nick = (($a->argc > 1) ? $a->argv[1] : ''); -// profile_load($a,$nick); -// profile_aside($a); + } -// $item_id = (($a->argc > 2) ? intval($a->argv[2]) : 0); + $sql_extra = public_permissions_sql(get_observer_hash()); -// if(! $item_id) { -// $a->error = 404; -// notice( t('Item not found.') . EOL); -// return; -// } -// $groups = array(); + if($load) { -// $contact = null; -// $remote_contact = false; + $pager_sql = sprintf(" LIMIT %d, %d ",intval($a->pager['start']), intval($a->pager['itemspage'])); -// $contact_id = 0; + if($load) { +dbg(1); + $r = q("SELECT * from item + WHERE item_restrict = 0 + AND ( `item`.`allow_cid` = '' AND `item`.`allow_gid` = '' AND `item`.`deny_cid` = '' + AND `item`.`deny_gid` = '' AND item_private = 0 ) + and uid in ( " . stream_perms_api_uids() . " ) + $sql_extra + and uri = '%s' + group by uri limit 1", + dbesc($target_item['parent_uri']) + ); +dbg(0); + } + else { + $r = array(); + } + } -// if(is_array($_SESSION['remote'])) { -// foreach($_SESSION['remote'] as $v) { -// if($v['uid'] == $a->profile['uid']) { -// $contact_id = $v['cid']; -// break; -// } -// } -// } - -// if($contact_id) { -// $groups = init_groups_visitor($contact_id); -// $r = q("SELECT * FROM `contact` WHERE `id` = %d AND `uid` = %d LIMIT 1", -// intval($contact_id), -// intval($a->profile['uid']) -// ); -// if(count($r)) { -// $contact = $r[0]; -// $remote_contact = true; -// } -// } + if($r) { -// if(! $remote_contact) { + $parents_str = ids_to_querystr($r,'id'); + if($parents_str) { + dbg(1); -// if(local_user()) { -// $contact_id = $_SESSION['cid']; -// $contact = $a->contact; -// } -// } + $items = q("SELECT `item`.*, `item`.`id` AS `item_id` + FROM `item` + WHERE item_restrict = 0 and parent in ( %s ) ", + dbesc($parents_str) + ); -// $r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `self` = 1 LIMIT 1", -// intval($a->profile['uid']) -// ); +dbg(0); + xchan_query($items); + $items = fetch_post_tags($items); + $items = conv_sort($items,'created'); + } + } else { + $items = array(); + } -// $is_owner = ((local_user()) && (local_user() == $a->profile['profile_uid']) ? true : false); if($a->profile['hidewall'] && (! $is_owner) && (! $remote_contact)) { notice( t('Access to this profile has been restricted.') . EOL); return; } -// if ($is_owner) -// $celeb = ((($a->user['page-flags'] == PAGE_SOAPBOX) || ($a->user['page-flags'] == PAGE_COMMUNITY)) ? true : false); - -// $x = array( -// 'is_owner' => true, -// 'allow_location' => $a->user['allow_location'], -// 'default_location' => $a->user['default-location'], -// 'nickname' => $a->user['nickname'], -// 'lockstate' => ( (is_array($a->user)) && ((strlen($a->user['allow_cid'])) || (strlen($a->user['allow_gid'])) || (strlen($a->user['deny_cid'])) || (strlen($a->user['deny_gid']))) ? 'lock' : 'unlock'), -// 'acl' => populate_acl($a->user, $celeb), -// 'bang' => '', -// 'visitor' => 'block', -// 'profile_uid' => local_user() -// ); -// $o .= status_editor($a,$x,true); - - -// FIXME -// $sql_extra = item_permissions_sql($a->profile['uid']); - - if($target_item) { - $r = q("SELECT * from item where parent = %d", - intval($target_item['parent']) - ); - } - + if($items) { - if($r) { - - if((local_user()) && (local_user() == $owner)) { +// if((local_user()) && (local_user() == $owner)) { // q("UPDATE `item` SET `unseen` = 0 // WHERE `parent` = %d AND `unseen` = 1", // intval($r[0]['parent']) // ); - } +// } - xchan_query($r); - $r = fetch_post_tags($r); +// xchan_query($items); +// $items = fetch_post_tags($items); - $o .= conversation($a,$r,'display', false); + $o .= conversation($a,$items,'display', $update, 'client'); } +/* else { - $r = q("SELECT `id`,`deleted` FROM `item` WHERE `id` = '%s' OR `uri` = '%s' LIMIT 1", - dbesc($item_id), - dbesc($item_id) + $r = q("SELECT `id`, item_flags FROM `item` WHERE `id` = '%s' OR `uri` = '%s' LIMIT 1", + dbesc($item_hash), + dbesc($item_hash) ); - if(count($r)) { - if($r[0]['deleted']) { + if($r) { + if($r[0]['item_flags'] & ITEM_DELETED) { notice( t('Item has been removed.') . EOL ); } else { @@ -177,7 +173,7 @@ function display_content(&$a) { } } - +*/ return $o; } diff --git a/mod/network.php b/mod/network.php index 127e7da7f..1a3989b69 100644 --- a/mod/network.php +++ b/mod/network.php @@ -515,6 +515,7 @@ function network_content(&$a, $update = 0, $load = false) { '$file' => $file, '$cats' => '', '$dend' => $datequery, + '$uri' => '', '$dbegin' => $datequery2 )); } diff --git a/mod/search.php b/mod/search.php index 7a0f4205d..f76254116 100644 --- a/mod/search.php +++ b/mod/search.php @@ -152,7 +152,7 @@ function search_content(&$a) { // This is ugly, but we can't pass the profile_uid through the session to the ajax updater, // because browser prefetching might change it on us. We have to deliver it with the page. - $o .= '<div id="live-channel"></div>' . "\r\n"; + $o .= '<div id="live-search"></div>' . "\r\n"; $o .= "<script> var profile_uid = " . $a->profile['profile_uid'] . "; var netargs = '?f='; var profile_page = " . $a->pager['page'] . "; </script>\r\n"; @@ -175,6 +175,7 @@ function search_content(&$a) { '$order' => '', '$file' => '', '$cats' => '', + '$uri' => '', '$dend' => '', '$dbegin' => '' )); diff --git a/mod/update_display.php b/mod/update_display.php new file mode 100644 index 000000000..e23b29399 --- /dev/null +++ b/mod/update_display.php @@ -0,0 +1,39 @@ +<?php + +// See update_profile.php for documentation + +require_once('mod/display.php'); +require_once('include/group.php'); + +function update_display_content(&$a) { + + $profile_uid = intval($_GET['p']); + $load = (((argc() > 1) && (argv(1) == 'load')) ? 1 : 0); + header("Content-type: text/html"); + echo "<!DOCTYPE html><html><body>\r\n"; + echo (($_GET['msie'] == 1) ? '<div>' : '<section>'); + + + $text = display_content($a,$profile_uid, $load); + $pattern = "/<img([^>]*) src=\"([^\"]*)\"/"; + $replace = "<img\${1} dst=\"\${2}\""; + $text = preg_replace($pattern, $replace, $text); + + $replace = '<br />' . t('[Embedded content - reload page to view]') . '<br />'; + $pattern = "/<\s*audio[^>]*>(.*?)<\s*\/\s*audio>/i"; + $text = preg_replace($pattern, $replace, $text); + $pattern = "/<\s*video[^>]*>(.*?)<\s*\/\s*video>/i"; + $text = preg_replace($pattern, $replace, $text); + $pattern = "/<\s*embed[^>]*>(.*?)<\s*\/\s*embed>/i"; + $text = preg_replace($pattern, $replace, $text); + $pattern = "/<\s*iframe[^>]*>(.*?)<\s*\/\s*iframe>/i"; + $text = preg_replace($pattern, $replace, $text); + + + echo str_replace("\t",' ',$text); + echo (($_GET['msie'] == 1) ? '</div>' : '</section>'); + echo "</body></html>\r\n"; +// logger('update_display: ' . $text); + killme(); + +}
\ No newline at end of file diff --git a/view/tpl/build_query.tpl b/view/tpl/build_query.tpl index b7b0ac86c..f4795acb2 100644 --- a/view/tpl/build_query.tpl +++ b/view/tpl/build_query.tpl @@ -22,6 +22,7 @@ var bParam_cats = "$cats"; var bParam_dend = "$dend"; var bParam_dbegin = "$dbegin"; + var bParam_uri = "$uri"; function buildCmd() { var udargs = ((page_load) ? "/load" : ""); @@ -42,6 +43,7 @@ if(bParam_cats != "") bCmd = bCmd + "&cats=" + bParam_cats; if(bParam_dend != "") bCmd = bCmd + "&dend=" + bParam_dend; if(bParam_dbegin != "") bCmd = bCmd + "&dbegin=" + bParam_dbegin; + if(bParam_uri != "") bCmd = bCmd + "&uri=" + bParam_uri; if(bParam_page != 1) bCmd = bCmd + "&page=" + bParam_page; return(bCmd); } diff --git a/view/tpl/rmagic.tpl b/view/tpl/rmagic.tpl new file mode 100644 index 000000000..f16abe975 --- /dev/null +++ b/view/tpl/rmagic.tpl @@ -0,0 +1,11 @@ +<h3>$title</h3> + +<form action="rmagic" method="post" > + + <label for="rmagic-address" id="label-rmagic-address" class="rmagic-label">$desc</label> + <input type="text" maxlength="255" size="32" name="address" id="rmagic-address" class="rmagic-input" value="" /> + + <input type="submit" name="submit" id="rmagic-submit-button" value="$submit" /> + <div id="rmagic-submit-end" class="rmagic-field-end"></div> + +</form> diff --git a/view/tpl/smarty3/build_query.tpl b/view/tpl/smarty3/build_query.tpl index 5520fb5b9..6df7f6589 100644 --- a/view/tpl/smarty3/build_query.tpl +++ b/view/tpl/smarty3/build_query.tpl @@ -27,6 +27,7 @@ var bParam_cats = "{{$cats}}"; var bParam_dend = "{{$dend}}"; var bParam_dbegin = "{{$dbegin}}"; + var bParam_uri = "{{$uri}}"; function buildCmd() { var udargs = ((page_load) ? "/load" : ""); @@ -47,6 +48,7 @@ if(bParam_cats != "") bCmd = bCmd + "&cats=" + bParam_cats; if(bParam_dend != "") bCmd = bCmd + "&dend=" + bParam_dend; if(bParam_dbegin != "") bCmd = bCmd + "&dbegin=" + bParam_dbegin; + if(bParam_uri != "") bCmd = bCmd + "&uri=" + bParam_uri; if(bParam_page != 1) bCmd = bCmd + "&page=" + bParam_page; return(bCmd); } diff --git a/view/tpl/smarty3/rmagic.tpl b/view/tpl/smarty3/rmagic.tpl new file mode 100644 index 000000000..7e4e563d9 --- /dev/null +++ b/view/tpl/smarty3/rmagic.tpl @@ -0,0 +1,16 @@ +{{* + * AUTOMATICALLY GENERATED TEMPLATE + * DO NOT EDIT THIS FILE, CHANGES WILL BE OVERWRITTEN + * + *}} +<h3>{{$title}}</h3> + +<form action="rmagic" method="post" > + + <label for="rmagic-address" id="label-rmagic-address" class="rmagic-label">{{$desc}}</label> + <input type="text" maxlength="255" size="32" name="address" id="rmagic-address" class="rmagic-input" value="" /> + + <input type="submit" name="submit" id="rmagic-submit-button" value="{{$submit}}" /> + <div id="rmagic-submit-end" class="rmagic-field-end"></div> + +</form> |