diff options
-rwxr-xr-x | boot.php | 4 | ||||
-rwxr-xr-x | database.sql | 7 | ||||
-rwxr-xr-x | include/security.php | 23 | ||||
-rwxr-xr-x | mod/manage.php | 70 | ||||
-rwxr-xr-x | mod/settings.php | 12 | ||||
-rwxr-xr-x | update.php | 14 |
6 files changed, 103 insertions, 27 deletions
@@ -9,9 +9,9 @@ require_once('include/nav.php'); require_once('include/cache.php'); define ( 'FRIENDICA_PLATFORM', 'Friendica'); -define ( 'FRIENDICA_VERSION', '2.3.1235' ); +define ( 'FRIENDICA_VERSION', '2.3.1236' ); define ( 'DFRN_PROTOCOL_VERSION', '2.22' ); -define ( 'DB_UPDATE_VERSION', 1116 ); +define ( 'DB_UPDATE_VERSION', 1117 ); define ( 'EOL', "<br />\r\n" ); define ( 'ATOM_TIME', 'Y-m-d\TH:i:s\Z' ); diff --git a/database.sql b/database.sql index 5b7c870df..68b8ea076 100755 --- a/database.sql +++ b/database.sql @@ -769,4 +769,11 @@ INDEX ( `twit` ), INDEX ( `stat` ) ) ENGINE = MyISAM DEFAULT CHARSET=utf8; +CREATE TABLE IF NOT EXISTS `manage` { +`id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY , +`uid` INT NOT NULL , +`mid` INT NOT NULL, +INDEX ( `uid` ), +INDEX ( `mid` ) +) ENGINE = MyISAM DEFAULT CHARSET=utf8; diff --git a/include/security.php b/include/security.php index f3f16e1bc..394986f27 100755 --- a/include/security.php +++ b/include/security.php @@ -34,13 +34,30 @@ function authenticate_success($user_record, $login_initial = false, $interactive $a->timezone = $a->user['timezone']; } - $r = q("SELECT `uid`,`username` FROM `user` WHERE `password` = '%s' AND `email` = '%s'", - dbesc($a->user['password']), - dbesc($a->user['email']) + $master_record = $a->user; + if((x($_SESSION,'submanage')) && intval($_SESSION['submanage'])) { + $r = q("select * from user where uid = %d limit 1", + intval($_SESSION['submanage']) + ); + if(count($r)) + $master_record = $r[0]; + } + + $r = q("SELECT `uid`,`username`,`nickname` FROM `user` WHERE `password` = '%s' AND `email` = '%s'", + dbesc($master_record['password']), + dbesc($master_record['email']) ); if(count($r)) $a->identities = $r; + else + $a->identities = array(); + $r = q("select `user`.`uid`, `user`.`username`, `user`.`nickname` from manage left join user on manage.mid = user.uid + where `manage`.`uid` = %d", + intval($master_record['uid']) + ); + if(count($r)) + $a->identities = array_merge($a->identities,$r); $r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `self` = 1 LIMIT 1", intval($_SESSION['uid'])); diff --git a/mod/manage.php b/mod/manage.php index 41ec81129..ec4dcd8a0 100755 --- a/mod/manage.php +++ b/mod/manage.php @@ -3,18 +3,56 @@ function manage_post(&$a) { - if(! local_user() || ! is_array($a->identities)) + if(! local_user()) return; + $uid = local_user(); + $orig_record = $a->user; + + if((x($_SESSION,'submanage')) && intval($_SESSION['submanage'])) { + $r = q("select * from user where uid = %d limit 1", + intval($_SESSION['submanage']) + ); + if(count($r)) { + $uid = intval($r[0]['uid']); + $orig_record = $r[0]; + } + } + + $r = q("select * from manage where uid = %d", + intval($uid) + ); + + $submanage = $r; + $identity = ((x($_POST['identity'])) ? intval($_POST['identity']) : 0); if(! $identity) return; - $r = q("SELECT * FROM `user` WHERE `uid` = %d AND `email` = '%s' AND `password` = '%s' LIMIT 1", - intval($identity), - dbesc($a->user['email']), - dbesc($a->user['password']) - ); + $limited_id = 0; + $original_id = $uid; + + if(count($submanage)) { + foreach($submanage as $m) { + if($identity == $m['mid']) { + $limited_id = $m['mid']; + break; + } + } + } + + if($limited_id) { + $r = q("SELECT * FROM `user` WHERE `uid` = %d LIMIT 1", + intval($limited_id) + ); + } + else { + $r = q("SELECT * FROM `user` WHERE `uid` = %d AND `email` = '%s' AND `password` = '%s' LIMIT 1", + intval($identity), + dbesc($orig_record['email']), + dbesc($orig_record['password']) + ); + } if(! count($r)) return; @@ -27,11 +65,15 @@ function manage_post(&$a) { unset($_SESSION['theme']); unset($_SESSION['page_flags']); unset($_SESSION['return_url']); - + if(x($_SESSION,'submanage')) + unset($_SESSION['submanage']); require_once('include/security.php'); authenticate_success($r[0],true,true); + if($limited_id) + $_SESSION['submanage'] = $original_id; + goaway($a->get_baseurl() . '/profile/' . $a->user['nickname']); // NOTREACHED } @@ -40,23 +82,15 @@ function manage_post(&$a) { function manage_content(&$a) { - if(! local_user() || ! is_array($a->identities)) { + if(! local_user()) { notice( t('Permission denied.') . EOL); return; } - $r = q("SELECT * FROM `user` WHERE `email` = '%s' AND `password` = '%s'", - dbesc($a->user['email']), - dbesc($a->user['password']) - ); - if(! count($r)) - return; - - $o = '<h3>' . t('Manage Identities and/or Pages') . '</h3>'; - $o .= '<div id="identity-manage-desc">' . t("\x28Toggle between different identities or community/group pages which share your account details.\x29") . '</div>'; + $o .= '<div id="identity-manage-desc">' . t('Toggle between different identities or community/group pages which share your account details or which you have been granted "manage" permissions') . '</div>'; $o .= '<div id="identity-manage-choose">' . t('Select an identity to manage: ') . '</div>'; @@ -64,7 +98,7 @@ function manage_content(&$a) { $o .= '<form action="manage" method="post" >' . "\r\n"; $o .= '<select name="identity" size="4">' . "\r\n"; - foreach($r as $rr) { + foreach($a->identities as $rr) { $selected = (($rr['nickname'] === $a->user['nickname']) ? ' selected="selected" ' : ''); $o .= '<option ' . $selected . 'value="' . $rr['uid'] . '">' . $rr['username'] . ' (' . $rr['nickname'] . ')</option>' . "\r\n"; } diff --git a/mod/settings.php b/mod/settings.php index 8ca0bb7f8..c61d5c227 100755 --- a/mod/settings.php +++ b/mod/settings.php @@ -39,10 +39,11 @@ EOT; function settings_post(&$a) { - if(! local_user()) { - notice( t('Permission denied.') . EOL); + if(! local_user()) + return; + + if(x($_SESSION,'submanage') && intval($_SESSION['submanage'])) return; - } if(count($a->user) && x($a->user,'uid') && $a->user['uid'] != local_user()) { notice( t('Permission denied.') . EOL); @@ -403,6 +404,11 @@ function settings_content(&$a) { notice( t('Permission denied.') . EOL ); return; } + + if(x($_SESSION,'submanage') && intval($_SESSION['submanage'])) { + notice( t('Permission denied.') . EOL ); + return; + } $tabs = array( array( diff --git a/update.php b/update.php index 166602fb9..e1900e807 100755 --- a/update.php +++ b/update.php @@ -1,6 +1,6 @@ <?php -define( 'UPDATE_VERSION' , 1116 ); +define( 'UPDATE_VERSION' , 1117 ); /** * @@ -997,3 +997,15 @@ function update_1115() { ADD INDEX (`moderated`) "); } + +function update_1116() { +q("create table if not exists `manage` { +`id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY , +`uid` INT NOT NULL , +`mid` INT NOT NULL, +INDEX ( `uid` ), +INDEX ( `mid` ) +) ENGINE = MYISAM "); + +} + |