diff options
Diffstat (limited to 'Zotlabs/Module')
| -rw-r--r-- | Zotlabs/Module/Filestorage.php | 39 | ||||
| -rw-r--r-- | Zotlabs/Module/Item.php | 28 | ||||
| -rw-r--r-- | Zotlabs/Module/Oep.php | 2 | ||||
| -rw-r--r-- | Zotlabs/Module/Photos.php | 41 | ||||
| -rw-r--r-- | Zotlabs/Module/Settings/Channel.php | 15 |
5 files changed, 88 insertions, 37 deletions
diff --git a/Zotlabs/Module/Filestorage.php b/Zotlabs/Module/Filestorage.php index 5c8557e5a..cd9ab601d 100644 --- a/Zotlabs/Module/Filestorage.php +++ b/Zotlabs/Module/Filestorage.php @@ -66,7 +66,7 @@ class Filestorage extends \Zotlabs\Web\Controller { $perms = get_all_perms($owner, $ob_hash); - if(! $perms['view_storage']) { + if(! ($perms['view_storage'] || is_site_admin())){ notice( t('Permission denied.') . EOL); return; } @@ -75,15 +75,29 @@ class Filestorage extends \Zotlabs\Web\Controller { // need to return for anyone other than the owner, despite the perms check for now. $is_owner = (((local_channel()) && ($owner == local_channel())) ? true : false); - if(! $is_owner) { + if(! ($is_owner || is_site_admin())){ info( t('Permission Denied.') . EOL ); return; } if(argc() > 3 && argv(3) === 'delete') { + + if(argc() > 4 && argv(4) === 'json') + $json_return = true; + + + $admin_delete = false; + if(! $perms['write_storage']) { - notice( t('Permission denied.') . EOL); - return; + if(is_site_admin()) { + $admin_delete = true; + } + else { + notice( t('Permission denied.') . EOL); + if($json_return) + json_return_and_die([ 'success' => false ]); + return; + } } $file = intval(argv(2)); @@ -92,22 +106,31 @@ class Filestorage extends \Zotlabs\Web\Controller { intval($owner) ); if(! $r) { + if($json_return) + json_return_and_die([ 'success' => false ]); + notice( t('File not found.') . EOL); goaway(z_root() . '/cloud/' . $which); } $f = $r[0]; - $channel = \App::get_channel(); + + $channel = channelx_by_n($owner); $url = get_cloud_url($channel['channel_id'], $channel['channel_address'], $f['hash']); attach_delete($owner, $f['hash']); - $sync = attach_export_data($channel, $f['hash'], true); - if($sync) { - build_sync_packet($channel['channel_id'], array('file' => array($sync))); + if(! $admin_delete) { + $sync = attach_export_data($channel, $f['hash'], true); + if($sync) { + build_sync_packet($channel['channel_id'], array('file' => array($sync))); + } } + if(json_return) + json_return_and_die([ 'success' => true ]); + goaway(dirname($url)); } diff --git a/Zotlabs/Module/Item.php b/Zotlabs/Module/Item.php index bba1dc02d..fd99c4a64 100644 --- a/Zotlabs/Module/Item.php +++ b/Zotlabs/Module/Item.php @@ -1084,24 +1084,36 @@ class Item extends \Zotlabs\Web\Controller { if((argc() == 3) && (argv(1) === 'drop') && intval(argv(2))) { require_once('include/items.php'); - $i = q("select id, uid, author_xchan, owner_xchan, source_xchan, item_type from item where id = %d limit 1", + + + $i = q("select id, uid, item_origin, author_xchan, owner_xchan, source_xchan, item_type from item where id = %d limit 1", intval(argv(2)) ); if($i) { $can_delete = false; $local_delete = false; - if(local_channel() && local_channel() == $i[0]['uid']) + + if(local_channel() && local_channel() == $i[0]['uid']) { $local_delete = true; - - $sys = get_sys_channel(); - if(is_site_admin() && $sys['channel_id'] == $i[0]['uid']) - $can_delete = true; + } $ob_hash = get_observer_hash(); - if($ob_hash && ($ob_hash === $i[0]['author_xchan'] || $ob_hash === $i[0]['owner_xchan'] || $ob_hash === $i[0]['source_xchan'])) + if($ob_hash && ($ob_hash === $i[0]['author_xchan'] || $ob_hash === $i[0]['owner_xchan'] || $ob_hash === $i[0]['source_xchan'])) { $can_delete = true; - + } + + // The site admin can delete any post/item on the site. + // If the item originated on this site+channel the deletion will propagate downstream. + // Otherwise just the local copy is removed. + + if(is_site_admin()) { + $local_delete = true; + if(intval($i[0]['item_origin'])) + $can_delete = true; + } + + if(! ($can_delete || $local_delete)) { notice( t('Permission denied.') . EOL); return; diff --git a/Zotlabs/Module/Oep.php b/Zotlabs/Module/Oep.php index ec40bf9db..0f20a5f9a 100644 --- a/Zotlabs/Module/Oep.php +++ b/Zotlabs/Module/Oep.php @@ -72,7 +72,7 @@ class Oep extends \Zotlabs\Web\Controller { $url = $args['url']; $maxwidth = intval($args['maxwidth']); $maxheight = intval($args['maxheight']); - logger('processing display'); + if(preg_match('#//(.*?)/display/(.*?)(&|\?|$)#',$url,$matches)) { $res = $matches[2]; } diff --git a/Zotlabs/Module/Photos.php b/Zotlabs/Module/Photos.php index a143c4d4c..e21f3025c 100644 --- a/Zotlabs/Module/Photos.php +++ b/Zotlabs/Module/Photos.php @@ -102,14 +102,7 @@ class Photos extends \Zotlabs\Web\Controller { if($_REQUEST['dropalbum'] == t('Delete Album')) { - - // This is dangerous because we combined file storage and photos into one interface - // This function will remove all photos from any directory with the same name since - // we have not passed the path value. - - // The correct solution would be to use a full pathname from your storage root for 'album' - // We also need to prevent/block removing the storage root folder. - + $folder_hash = ''; $r = q("select * from attach where is_dir = 1 and uid = %d and hash = '%s'", @@ -124,7 +117,8 @@ class Photos extends \Zotlabs\Web\Controller { $res = array(); - + $admin_delete = false; + // get the list of photos we are about to delete if(remote_channel() && (! local_channel())) { @@ -133,6 +127,10 @@ class Photos extends \Zotlabs\Web\Controller { elseif(local_channel()) { $str = photos_album_get_db_idstr(local_channel(),$album); } + elseif(is_site_admin()) { + $str = photos_album_get_db_idstr_admin($page_owner_uid,$album); + $admin_delete = true; + } else { $str = null; } @@ -145,7 +143,7 @@ class Photos extends \Zotlabs\Web\Controller { ); if($r) { foreach($r as $i) { - attach_delete($page_owner_uid, $i['resource_id'], 1 ); + attach_delete($page_owner_uid, $i['resource_id'], true ); } } @@ -158,12 +156,14 @@ class Photos extends \Zotlabs\Web\Controller { // @FIXME do the same for the linked attach if($folder_hash) { - attach_delete($page_owner_uid,$folder_hash, 1); - - $sync = attach_export_data(\App::$data['channel'],$folder_hash, true); + attach_delete($page_owner_uid, $folder_hash, true ); + + if(! $admin_delete) { + $sync = attach_export_data(\App::$data['channel'],$folder_hash, true); - if($sync) - build_sync_packet($page_owner_uid,array('file' => array($sync))); + if($sync) + build_sync_packet($page_owner_uid,array('file' => array($sync))); + } } } @@ -181,17 +181,22 @@ class Photos extends \Zotlabs\Web\Controller { $r = q("SELECT id, resource_id FROM photo WHERE ( xchan = '%s' or uid = %d ) AND resource_id = '%s' LIMIT 1", dbesc($ob_hash), intval(local_channel()), - dbesc(\App::$argv[2]) + dbesc(argv(2)) ); if($r) { - attach_delete($page_owner_uid, $r[0]['resource_id'], 1 ); + attach_delete($page_owner_uid, $r[0]['resource_id'], true ); $sync = attach_export_data(\App::$data['channel'],$r[0]['resource_id'], true); if($sync) build_sync_packet($page_owner_uid,array('file' => array($sync))); } - + elseif(is_site_admin()) { + // If the admin deletes a photo, don't sync + attach_delete($page_owner_uid, argv(2), true); + } + + goaway(z_root() . '/photos/' . \App::$data['channel']['channel_address'] . '/album/' . $_SESSION['album_return']); } diff --git a/Zotlabs/Module/Settings/Channel.php b/Zotlabs/Module/Settings/Channel.php index 65b9b197e..beb62a3a3 100644 --- a/Zotlabs/Module/Settings/Channel.php +++ b/Zotlabs/Module/Settings/Channel.php @@ -146,6 +146,7 @@ class Channel { $unkmail = (((x($_POST,'unkmail')) && (intval($_POST['unkmail']) == 1)) ? 1: 0); $cntunkmail = ((x($_POST,'cntunkmail')) ? intval($_POST['cntunkmail']) : 0); $suggestme = ((x($_POST,'suggestme')) ? intval($_POST['suggestme']) : 0); + $autoperms = ((x($_POST,'autoperms')) ? intval($_POST['autoperms']) : 0); $post_newfriend = (($_POST['post_newfriend'] == 1) ? 1: 0); $post_joingroup = (($_POST['post_joingroup'] == 1) ? 1: 0); @@ -252,6 +253,7 @@ class Channel { set_pconfig(local_channel(),'system','default_permcat',$defpermcat); set_pconfig(local_channel(),'system','email_notify_host',$mailhost); set_pconfig(local_channel(),'system','profile_assign',$profile_assign); + set_pconfig(local_channel(),'system','autoperms',$autoperms); $r = q("update channel set channel_name = '%s', channel_pageflags = %d, channel_timezone = '%s', channel_location = '%s', channel_notifyflags = %d, channel_max_anon_mail = %d, channel_max_friend_req = %d, channel_expire_days = %d $set_perms where channel_id = %d", dbesc($username), @@ -479,13 +481,21 @@ class Channel { if($permissions_role === 'social_party') $permissions_role = 'social_federation'; - + if(in_array($permissions_role,['forum','repository'])) + $autoperms = replace_macros(get_markup_template('field_checkbox.tpl'), [ + '$field' => [ 'autoperms',t('Automatic membership approval'), ((get_pconfig(local_channel(),'system','autoperms')) ? 1 : 0), t('If enabled, connection requests will be approved without your interaction'), $yes_no ]]); + else + $autoperms = '<input type="hidden" name="autoperms" value="' . intval(get_pconfig(local_channel(),'system','autoperms')) . '" />'; + $permissions_set = (($permissions_role != 'custom') ? true : false); $perm_roles = \Zotlabs\Access\PermissionRoles::roles(); if((get_account_techlevel() < 4) && $permissions_role !== 'custom') unset($perm_roles[t('Other')]); + + + $vnotify = get_pconfig(local_channel(),'system','vnotify'); $always_show_in_notices = get_pconfig(local_channel(),'system','always_show_in_notices'); if($vnotify === false) @@ -497,6 +507,7 @@ class Channel { $disable_discover_tab = intval(get_config('system','disable_discover_tab',1)) == 1; $site_firehose = intval(get_config('system','site_firehose',0)) == 1; + $o .= replace_macros($stpl,array( '$ptitle' => t('Channel Settings'), @@ -553,7 +564,7 @@ class Channel { '$unkmail' => $unkmail, '$cntunkmail' => array('cntunkmail', t('Maximum private messages per day from unknown people:'), intval($channel['channel_max_anon_mail']) ,t("Useful to reduce spamming")), - + '$autoperms' => $autoperms, '$h_not' => t('Notification Settings'), '$activity_options' => t('By default post a status message when:'), '$post_newfriend' => array('post_newfriend', t('accepting a friend request'), $post_newfriend, '', $yes_no), |