aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs/Module
diff options
context:
space:
mode:
Diffstat (limited to 'Zotlabs/Module')
-rw-r--r--Zotlabs/Module/Activity.php2
-rw-r--r--Zotlabs/Module/Cdav.php34
-rw-r--r--Zotlabs/Module/Display.php21
-rw-r--r--Zotlabs/Module/Follow.php4
-rw-r--r--Zotlabs/Module/Item.php9
-rw-r--r--Zotlabs/Module/Oep.php1
-rw-r--r--Zotlabs/Module/Sse_bs.php24
-rw-r--r--Zotlabs/Module/Wall_upload.php22
8 files changed, 57 insertions, 60 deletions
diff --git a/Zotlabs/Module/Activity.php b/Zotlabs/Module/Activity.php
index 2fbc35274..4ddfe602d 100644
--- a/Zotlabs/Module/Activity.php
+++ b/Zotlabs/Module/Activity.php
@@ -182,7 +182,7 @@ class Activity extends Controller {
return;
}
- $ob_authorise = false;
+ $ob_authorize = false;
$item_uid = 0;
$bear = ZlibActivity::token_from_request();
diff --git a/Zotlabs/Module/Cdav.php b/Zotlabs/Module/Cdav.php
index e68b2e5b4..8e77515ce 100644
--- a/Zotlabs/Module/Cdav.php
+++ b/Zotlabs/Module/Cdav.php
@@ -332,9 +332,9 @@ class Cdav extends Controller {
} while ($duplicate == true);
$properties = [
- '{DAV:}displayname' => $_REQUEST['{DAV:}displayname'],
- '{http://apple.com/ns/ical/}calendar-color' => $_REQUEST['color'],
- '{urn:ietf:params:xml:ns:caldav}calendar-description' => $channel['channel_name']
+ '{DAV:}displayname' => escape_tags($_REQUEST['{DAV:}displayname']),
+ '{http://apple.com/ns/ical/}calendar-color' => escape_tags($_REQUEST['color']),
+ '{urn:ietf:params:xml:ns:caldav}calendar-description' => escape_tags($channel['channel_name'])
];
$id = $caldavBackend->createCalendar($principalUri, $calendarUri, $properties);
@@ -366,7 +366,7 @@ class Cdav extends Controller {
$allday = $_REQUEST['allday'];
- $title = $_REQUEST['title'];
+ $title = escape_tags($_REQUEST['title']);
$start = datetime_convert('UTC', 'UTC', $_REQUEST['dtstart']);
$dtstart = new \DateTime($start);
@@ -374,8 +374,8 @@ class Cdav extends Controller {
$end = datetime_convert('UTC', 'UTC', $_REQUEST['dtend']);
$dtend = new \DateTime($end);
}
- $description = $_REQUEST['description'];
- $location = $_REQUEST['location'];
+ $description = escape_tags($_REQUEST['description']);
+ $location = escape_tags($_REQUEST['location']);
do {
$duplicate = false;
@@ -441,8 +441,8 @@ class Cdav extends Controller {
$cdavdata = $this->get_cdav_data($id[0], 'calendarinstances');
$mutations = [
- '{DAV:}displayname' => $_REQUEST['{DAV:}displayname'],
- '{http://apple.com/ns/ical/}calendar-color' => $_REQUEST['color']
+ '{DAV:}displayname' => escape_tags($_REQUEST['{DAV:}displayname']),
+ '{http://apple.com/ns/ical/}calendar-color' => escape_tags($_REQUEST['color'])
];
$patch = new \Sabre\DAV\PropPatch($mutations);
@@ -471,18 +471,18 @@ class Cdav extends Controller {
$timezone = ((x($_POST,'timezone_select')) ? escape_tags(trim($_POST['timezone_select'])) : '');
$tz = (($timezone) ? $timezone : date_default_timezone_get());
- $allday = $_REQUEST['allday'];
+ $allday = intval($_REQUEST['allday']);
- $uri = $_REQUEST['uri'];
- $title = $_REQUEST['title'];
+ $uri = escape_tags($_REQUEST['uri']);
+ $title = escape_tags($_REQUEST['title']);
$start = datetime_convert('UTC', 'UTC', $_REQUEST['dtstart']);
$dtstart = new \DateTime($start);
if($_REQUEST['dtend']) {
$end = datetime_convert('UTC', 'UTC', $_REQUEST['dtend']);
$dtend = new \DateTime($end);
}
- $description = $_REQUEST['description'];
- $location = $_REQUEST['location'];
+ $description = escape_tags($_REQUEST['description']);
+ $location = escape_tags($_REQUEST['location']);
$object = $caldavBackend->getCalendarObject($id, $uri);
@@ -654,7 +654,7 @@ class Cdav extends Controller {
$duplicate = true;
} while ($duplicate == true);
- $properties = ['{DAV:}displayname' => $_REQUEST['{DAV:}displayname']];
+ $properties = ['{DAV:}displayname' => escape_tags($_REQUEST['{DAV:}displayname'])];
$carddavBackend->createAddressBook($principalUri, $addressbookUri, $properties);
@@ -668,9 +668,9 @@ class Cdav extends Controller {
}
//edit addressbook
- if($_REQUEST['{DAV:}displayname'] && $_REQUEST['edit'] && intval($_REQUEST['id'])) {
+ if($_REQUEST['{DAV:}displayname'] && $_REQUEST['edit'] && $_REQUEST['id']) {
- $id = $_REQUEST['id'];
+ $id = intval($_REQUEST['id']);
if(! cdav_perms($id,$addressbooks))
return;
@@ -678,7 +678,7 @@ class Cdav extends Controller {
$cdavdata = $this->get_cdav_data($id, 'addressbooks');
$mutations = [
- '{DAV:}displayname' => $_REQUEST['{DAV:}displayname']
+ '{DAV:}displayname' => escape_tags($_REQUEST['{DAV:}displayname'])
];
$patch = new \Sabre\DAV\PropPatch($mutations);
diff --git a/Zotlabs/Module/Display.php b/Zotlabs/Module/Display.php
index 0aac96f4a..1a1c09d7c 100644
--- a/Zotlabs/Module/Display.php
+++ b/Zotlabs/Module/Display.php
@@ -213,27 +213,27 @@ class Display extends \Zotlabs\Web\Controller {
$observer_hash = get_observer_hash();
$item_normal = item_normal();
$item_normal_update = item_normal_update();
-
- $sql_extra = ((local_channel()) ? EMPTY_STR : item_permissions_sql(0, $observer_hash));
+ $sql_extra = '';
+ $r = [];
if($noscript_content || $load) {
-
require_once('include/channel.php');
$sys = get_sys_channel();
// in case somebody turned off public access to sys channel content using permissions
// make that content unsearchable by ensuring the owner uid can't match
$sys_id = perm_is_allowed($sys['channel_id'], $observer_hash, 'view_stream') ? $sys['channel_id'] : 0;
- $r = null;
-
if(local_channel()) {
$r = q("SELECT item.id AS item_id FROM item WHERE uid = %d AND mid = '%s' $item_normal LIMIT 1",
intval(local_channel()),
dbesc($target_item['parent_mid'])
);
+
}
- if($r === null) {
+ if(!$r) {
+ $sql_extra = item_permissions_sql(0, $observer_hash);
+
$r = q("SELECT item.id AS item_id FROM item
WHERE ((mid = '%s'
AND (((( item.allow_cid = '' AND item.allow_gid = '' AND item.deny_cid = ''
@@ -257,7 +257,6 @@ class Display extends \Zotlabs\Web\Controller {
// make that content unsearchable by ensuring the owner uid can't match
$sys_id = perm_is_allowed($sys['channel_id'], $observer_hash, 'view_stream') ? $sys['channel_id'] : 0;
- $r = null;
if(local_channel()) {
$r = q("SELECT item.parent AS item_id from item
WHERE uid = %d
@@ -270,7 +269,9 @@ class Display extends \Zotlabs\Web\Controller {
);
}
- if($r === null) {
+ if(!$r) {
+ $sql_extra = item_permissions_sql(0, $observer_hash);
+
$r = q("SELECT item.id as item_id from item
WHERE ((parent_mid = '%s'
AND (((( item.allow_cid = '' AND item.allow_gid = '' AND item.deny_cid = ''
@@ -287,10 +288,6 @@ class Display extends \Zotlabs\Web\Controller {
}
}
- else {
- $r = [];
- }
-
if($r) {
$parents_str = ids_to_querystr($r,'item_id');
if($parents_str) {
diff --git a/Zotlabs/Module/Follow.php b/Zotlabs/Module/Follow.php
index 54e29c492..f8bfc11f3 100644
--- a/Zotlabs/Module/Follow.php
+++ b/Zotlabs/Module/Follow.php
@@ -70,12 +70,12 @@ class Follow extends Controller {
}
$uid = local_channel();
- $url = notags(trim(punify($_REQUEST['url'])));
+ $url = notags(punify(trim($_REQUEST['url'])));
$return_url = $_SESSION['return_url'];
$interactive = $_REQUEST['interactive'] ?? 1;
$channel = App::get_channel();
- $result = Connect::connect($channel,$url);
+ $result = Connect::connect($channel, $url);
if ($result['success'] == false) {
if ($result['message']) {
diff --git a/Zotlabs/Module/Item.php b/Zotlabs/Module/Item.php
index a5e7b31ea..8e6106e79 100644
--- a/Zotlabs/Module/Item.php
+++ b/Zotlabs/Module/Item.php
@@ -393,7 +393,7 @@ class Item extends Controller {
$owner_hash = null;
- $message_id = ((x($_REQUEST, 'message_id') && $api_source) ? strip_tags($_REQUEST['message_id']) : '');
+ $message_id = ((x($_REQUEST, 'message_id') && $api_source) ? strip_tags($_REQUEST['message_id']) : null);
$created = ((x($_REQUEST, 'created')) ? datetime_convert(date_default_timezone_get(), 'UTC', $_REQUEST['created']) : datetime_convert());
$post_id = ((x($_REQUEST, 'post_id')) ? intval($_REQUEST['post_id']) : 0);
$app = ((x($_REQUEST, 'source')) ? strip_tags($_REQUEST['source']) : '');
@@ -710,6 +710,7 @@ class Item extends Controller {
$expires = $orig_post['expires'];
$comments_closed = $orig_post['comments_closed'];
$mid = $orig_post['mid'];
+ $uuid = $orig_post['uuid'];
$thr_parent = $orig_post['thr_parent'];
$parent_mid = $orig_post['parent_mid'];
$plink = $orig_post['plink'];
@@ -1000,10 +1001,8 @@ class Item extends Controller {
$notify_type = (($parent) ? 'comment-new' : 'wall-new');
- $uuid = (($message_id) ? $message_id : item_message_id());
-
- $mid = $mid ?? z_root() . '/item/' . $uuid;
-
+ $uuid = $uuid ?? $message_id ?? item_message_id();
+ $mid = $mid ?? z_root() . '/item/' . $uuid;
if ($is_poll) {
$poll = [
diff --git a/Zotlabs/Module/Oep.php b/Zotlabs/Module/Oep.php
index d3ef05e16..bf17e6436 100644
--- a/Zotlabs/Module/Oep.php
+++ b/Zotlabs/Module/Oep.php
@@ -343,6 +343,7 @@ class Oep extends \Zotlabs\Web\Controller {
if(! ($chn && $res))
return;
+
$c = q("select * from channel where channel_address = '%s' limit 1",
dbesc($chn)
);
diff --git a/Zotlabs/Module/Sse_bs.php b/Zotlabs/Module/Sse_bs.php
index 3a4e4e09e..4aabcafcb 100644
--- a/Zotlabs/Module/Sse_bs.php
+++ b/Zotlabs/Module/Sse_bs.php
@@ -205,18 +205,18 @@ class Sse_bs extends Controller {
}
- $r = q("SELECT count(id) as total FROM item
+ $r = q("SELECT id FROM item
WHERE uid = %d and item_unseen = 1 AND item_wall = 0 AND item_private IN (0, 1)
AND obj_type NOT IN ('Document', 'Video', 'Audio', 'Image')
AND author_xchan != '%s'
$item_normal
- $sql_extra",
+ $sql_extra LIMIT 100",
intval(self::$uid),
dbesc(self::$ob_hash)
);
if($r)
- $result['network']['count'] = intval($r[0]['total']);
+ $result['network']['count'] = count($r);
return $result;
}
@@ -285,17 +285,17 @@ class Sse_bs extends Controller {
}
- $r = q("SELECT count(id) as total FROM item
+ $r = q("SELECT id FROM item
WHERE uid = %d and item_unseen = 1 AND item_private = 2
$item_normal
$sql_extra
- AND author_xchan != '%s'",
+ AND author_xchan != '%s' LIMIT 100",
intval(self::$uid),
dbesc(self::$ob_hash)
);
if($r)
- $result['dm']['count'] = intval($r[0]['total']);
+ $result['dm']['count'] = count($r);
return $result;
}
@@ -365,17 +365,17 @@ class Sse_bs extends Controller {
}
- $r = q("SELECT count(id) as total FROM item
+ $r = q("SELECT id FROM item
WHERE uid = %d and item_unseen = 1 AND item_wall = 1 AND item_private IN (0, 1)
$item_normal
$sql_extra
- AND author_xchan != '%s'",
+ AND author_xchan != '%s' LIMIT 100",
intval(self::$uid),
dbesc(self::$ob_hash)
);
if($r)
- $result['home']['count'] = intval($r[0]['total']);
+ $result['home']['count'] = count($r);
return $result;
}
@@ -458,19 +458,19 @@ class Sse_bs extends Controller {
}
- $r = q("SELECT count(id) as total FROM item
+ $r = q("SELECT id FROM item
WHERE uid = %d AND item_unseen = 1
AND created > '%s'
$item_normal
$sql_extra
- AND author_xchan != '%s'",
+ AND author_xchan != '%s' LIMIT 100",
intval($sys['channel_id']),
dbescdate($_SESSION['static_loadtime']),
dbesc(self::$ob_hash)
);
if($r)
- $result['pubs']['count'] = intval($r[0]['total']);
+ $result['pubs']['count'] = count($r);
return $result;
}
diff --git a/Zotlabs/Module/Wall_upload.php b/Zotlabs/Module/Wall_upload.php
index 6d58e4032..3e979588c 100644
--- a/Zotlabs/Module/Wall_upload.php
+++ b/Zotlabs/Module/Wall_upload.php
@@ -11,10 +11,10 @@ require_once('include/photos.php');
class Wall_upload extends \Zotlabs\Web\Controller {
function post() {
-
-
- $using_api = ((x($_FILES,'media')) ? true : false);
-
+
+
+ $using_api = ((x($_FILES,'media')) ? true : false);
+
if($using_api) {
require_once('include/api.php');
if(api_user())
@@ -24,32 +24,32 @@ class Wall_upload extends \Zotlabs\Web\Controller {
if(argc() > 1)
$channel = channelx_by_nick(argv(1));
}
-
+
if(! $channel) {
if($using_api)
return;
notice( t('Channel not found.') . EOL);
killme();
}
-
+
$observer = \App::get_observer();
-
+
$args = array( 'source' => 'editor', 'visible' => 0, 'contact_allow' => array($channel['channel_hash']));
-
+
$ret = photo_upload($channel,$observer,$args);
-
+
if(! $ret['success']) {
if($using_api)
return;
notice($ret['message']);
killme();
}
-
+
if($using_api)
return("\n\n" . $ret['body'] . "\n\n");
else
echo "\n\n" . $ret['body'] . "\n\n";
killme();
}
-
+
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-08 20:31:47 +0000