aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/security.php46
-rw-r--r--mod/display.php4
-rw-r--r--mod/search.php62
3 files changed, 76 insertions, 36 deletions
diff --git a/include/security.php b/include/security.php
index 4738e473b..632b8d607 100644
--- a/include/security.php
+++ b/include/security.php
@@ -302,16 +302,19 @@ function public_permissions_sql($observer_hash) {
foreach($groups as $g)
$gs .= '|<' . $g . '>';
}
- $sql = sprintf(
- " OR (( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
- AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
- ))
- ",
- dbesc(protect_sprintf( '%<' . $observer_hash . '>%')),
- dbesc($gs),
- dbesc(protect_sprintf( '%<' . $observer_hash . '>%')),
- dbesc($gs)
- );
+ $sql = '';
+ if($observer_hash) {
+ $sql = sprintf(
+ " OR (( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
+ AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
+ ))
+ ",
+ dbesc(protect_sprintf( '%<' . $observer_hash . '>%')),
+ dbesc($gs),
+ dbesc(protect_sprintf( '%<' . $observer_hash . '>%')),
+ dbesc($gs)
+ );
+ }
return $sql;
}
@@ -424,6 +427,29 @@ function stream_perms_api_uids($perms_min = PERMS_SITE) {
$str .= ',';
$str .= intval($rr);
}
+logger('stream_perms_api_uids: ' . $str);
return $str;
}
+function stream_perms_xchans($perms_min = PERMS_SITE) {
+ $ret = array();
+ if(local_user())
+ $ret[] = get_observer_hash();
+ $r = q("select channel_hash from channel where channel_r_stream <= %d",
+ intval($perms_min)
+ );
+ if($r)
+ foreach($r as $rr)
+ if(! in_array($rr['channel_hash'],$ret))
+ $ret[] = $rr['channel_hash'];
+
+ $str = '';
+ if($ret)
+ foreach($ret as $rr) {
+ if($str)
+ $str .= ',';
+ $str .= "'" . dbesc($rr) . "'";
+ }
+logger('stream_perms_xchans: ' . $str);
+ return $str;
+}
diff --git a/mod/display.php b/mod/display.php
index d19502eb1..476087ce7 100644
--- a/mod/display.php
+++ b/mod/display.php
@@ -113,16 +113,18 @@ function display_content(&$a, $update = 0, $load = false) {
}
}
if($r === null) {
+dbg(1);
$r = q("SELECT * from item
WHERE item_restrict = 0
and mid = '%s'
AND ((( `item`.`allow_cid` = '' AND `item`.`allow_gid` = '' AND `item`.`deny_cid` = ''
AND `item`.`deny_gid` = '' AND item_private = 0 )
- and uid in ( " . stream_perms_api_uids() . " ))
+ and owner_xchan in ( " . stream_perms_xchans() . " ))
$sql_extra )
group by mid limit 1",
dbesc($target_item['parent_mid'])
);
+dbg(0);
}
}
diff --git a/mod/search.php b/mod/search.php
index 38131f63f..1cb6cb461 100644
--- a/mod/search.php
+++ b/mod/search.php
@@ -183,23 +183,37 @@ function search_content(&$a,$update = 0, $load = false) {
}
-
+ $pub_sql = public_permissions_sql(get_observer_hash());
if(($update) && ($load)) {
$pager_sql = sprintf(" LIMIT %d, %d ",intval($a->pager['start']), intval($a->pager['itemspage']));
-dbg(1);
+
if($load) {
- $r = q("SELECT distinct mid, id as item_id from item
- WHERE item_restrict = 0
- AND (( `item`.`allow_cid` = '' AND `item`.`allow_gid` = '' AND `item`.`deny_cid` = '' AND `item`.`deny_gid` = '' AND item_private = 0 )
- OR ( `item`.`uid` = %d ))
- $sql_extra
- group by mid ORDER BY created DESC $pager_sql ",
- intval(local_user()),
- intval(ABOOK_FLAG_BLOCKED)
+ $r = null;
+
+ if(local_user()) {
+ $r = q("SELECT distinct mid, item.* from item
+ WHERE item_restrict = 0
+ AND (( `item`.`allow_cid` = '' AND `item`.`allow_gid` = '' AND `item`.`deny_cid` = '' AND `item`.`deny_gid` = '' AND item_private = 0 )
+ OR ( `item`.`uid` = %d ))
+ $sql_extra
+ group by mid ORDER BY created DESC $pager_sql ",
+ intval(local_user()),
+ intval(ABOOK_FLAG_BLOCKED)
- );
-dbg(0);
+ );
+ }
+ if($r === null) {
+ $r = q("SELECT distinct mid, item.* from item
+ WHERE item_restrict = 0
+ AND ((( `item`.`allow_cid` = '' AND `item`.`allow_gid` = '' AND `item`.`deny_cid` = ''
+ AND `item`.`deny_gid` = '' AND item_private = 0 )
+ and owner_xchan in ( " . stream_perms_xchans() . " ))
+ $pub_sql )
+ $sql_extra
+ group by mid ORDER BY created DESC $pager_sql"
+ );
+ }
}
else {
$r = array();
@@ -208,19 +222,17 @@ dbg(0);
if($r) {
- $parents_str = ids_to_querystr($r,'item_id');
-dbg(1);
- $items = q("SELECT `item`.*, `item`.`id` AS `item_id`
- FROM `item`
- WHERE item_restrict = 0
- $sql_extra and parent in ( $parents_str ) "
-// intval($a->profile['profile_uid']),
-// dbesc($parents_str)
- );
-dbg(0);
- xchan_query($items);
- $items = fetch_post_tags($items,true);
- $items = conv_sort($items,'created');
+// $parents_str = ids_to_querystr($r,'item_id');
+
+// $items = q("SELECT `item`.*, `item`.`id` AS `item_id`
+// FROM `item`
+// WHERE item_restrict = 0
+// $sql_extra and parent in ( $parents_str ) "
+// );
+
+ xchan_query($r);
+ $items = fetch_post_tags($r,true);
+// $items = conv_sort($items,'created');
} else {
$items = array();