aboutsummaryrefslogtreecommitdiffstats
path: root/include/attach.php
diff options
context:
space:
mode:
Diffstat (limited to 'include/attach.php')
-rw-r--r--include/attach.php67
1 files changed, 64 insertions, 3 deletions
diff --git a/include/attach.php b/include/attach.php
index 64d6a1689..46d406f4b 100644
--- a/include/attach.php
+++ b/include/attach.php
@@ -1,4 +1,4 @@
-<?php
+<?php /** @file */
/*
* File/attach API with the potential for revision control.
@@ -10,6 +10,7 @@
*/
require_once('include/permissions.php');
+require_once('include/security.php');
function z_mime_content_type($filename) {
@@ -192,13 +193,13 @@ function attach_by_hash($hash,$rev = 0) {
$sql_extra = permissions_sql($r[0]['uid']);
// Now we'll see if we can access the attachment
-
+dbg(1);
$r = q("SELECT * FROM attach WHERE hash = '%s' and uid = %d $sql_extra LIMIT 1",
dbesc($hash),
intval($r[0]['uid'])
);
-
+dbg(0);
if(! $r) {
$ret['message'] = t('Permission denied.');
return $ret;
@@ -439,4 +440,64 @@ function attach_store($channel,$observer_hash,$options = '',$arr = null) {
$ret['success'] = true;
$ret['data'] = $r[0];
return $ret;
+}
+
+
+/**
+ * Read a virtual directory and return contents, checking permissions of all parent components.
+ * @function z_readdir
+ * @param integer $channel_id
+ * @param string $observer_hash
+ * @param string $pathname
+ * @param string $parent_hash (optional)
+ *
+ * @returns array $ret
+ * $ret['success'] = boolean true or false
+ * $ret['message'] = error message if success is false
+ * $ret['data'] = array of attach DB entries without data component
+ */
+
+function z_readdir($channel_id,$observer_hash,$pathname, $parent_hash = '') {
+
+ $ret = array('success' => false);
+ if(! perm_is_allowed($r[0]['uid'],get_observer_hash(),'view_storage')) {
+ $ret['message'] = t('Permission denied.');
+ return $ret;
+ }
+
+
+ if(strpos($pathname,'/')) {
+ $paths = explode('/',$pathname);
+ if(count($paths) > 1) {
+ $curpath = array_shift($paths);
+
+ $r = q("select hash, id from attach where uid = %d and filename = '%s' and (flags & %d ) " . permissions_sql($channel_id) . " limit 1",
+ intval($channel_id),
+ dbesc($curpath),
+ intval(ATTACH_FLAG_DIR)
+ );
+ if(! $r) {
+ $ret['message'] = t('Path not available.');
+ return $ret;
+ }
+
+ return z_readdir($channel_id,$observer_hash,implode('/',$paths),$r[0]['hash']);
+ }
+ }
+ else
+ $paths = array($pathname);
+
+ $r = q("select id, aid, uid, hash, filename, filetype, filesize, revision, folder, flags, created, edited, allow_cid, allow_gid, deny_cid, deny_gid from attach where id = %d and folder = '%s' and filename = '%s' and (flags & %d ) " . permissions_sql($channel_id),
+ intval($channel_id),
+ dbesc($parent_hash),
+ dbesc($paths[0]),
+ intval(ATTACH_FLAG_DIR)
+ );
+ if(! $r) {
+ $ret['message'] = t('Path not available.');
+ return $ret;
+ }
+ $ret['success'] = true;
+ $ret['data'] = $r;
+ return $ret;
} \ No newline at end of file