diff options
Diffstat (limited to 'include/attach.php')
| -rw-r--r-- | include/attach.php | 81 |
1 files changed, 53 insertions, 28 deletions
diff --git a/include/attach.php b/include/attach.php index 224af12c6..ead5a8e06 100644 --- a/include/attach.php +++ b/include/attach.php @@ -254,7 +254,7 @@ function attach_list_files($channel_id, $observer, $hash = '', $filename = '', $ * @param int $rev (optional) Revision default 0 * @return array */ -function attach_by_hash($hash, $observer_hash, $rev = 0) { +function attach_by_hash($hash, $observer_hash, $rev = 0, $token = EMPTY_STR) { $ret = array('success' => false); @@ -274,7 +274,7 @@ function attach_by_hash($hash, $observer_hash, $rev = 0) { return $ret; } - if(! attach_can_view($r[0]['uid'], $observer_hash, $hash)) { + if(! attach_can_view($r[0]['uid'], $observer_hash, $hash, $token)) { $ret['message'] = t('Permission denied.'); return $ret; } @@ -311,7 +311,7 @@ function attach_by_hash($hash, $observer_hash, $rev = 0) { * @param string $observer_hash * @return array */ -function attach_by_id($id, $observer_hash) { +function attach_by_id($id, $observer_hash, $token = EMPTY_STR) { $ret = array('success' => false); @@ -325,7 +325,7 @@ function attach_by_id($id, $observer_hash) { return $ret; } - if(! attach_can_view($r[0]['uid'], $observer_hash, $r[0]['hash'])) { + if(! attach_can_view($r[0]['uid'], $observer_hash, $r[0]['hash'], $token)) { $ret['message'] = t('Permission denied.'); return $ret; } @@ -338,49 +338,56 @@ function attach_by_id($id, $observer_hash) { return $ret; } -function attach_can_view($uid,$ob_hash,$resource) { +function attach_can_view($uid, $ob_hash, $resource, $token = EMPTY_STR) { - $sql_extra = permissions_sql($uid,$ob_hash); - $hash = $resource; - - if(! perm_is_allowed($uid,$ob_hash,'view_storage')) { - return false; + if (!$token) { + if(! perm_is_allowed($uid, $ob_hash, 'view_storage')) { + return false; + } } + $sql_extra = permissions_sql($uid, $ob_hash, '', $token); + $r = q("select folder from attach where hash = '%s' and uid = %d $sql_extra", - dbesc($hash), + dbesc($resource), intval($uid) ); - if(! $r) { + + if(!$r) { return false; } - return attach_can_view_folder($uid,$ob_hash,$r[0]['folder']); + // don't perform recursive folder check when using OCAP. Only when using ACL access. + // For OCAP if the token is valid they can see the thing. -} + if ($token) { + return true; + } + + return attach_can_view_folder($uid, $ob_hash, $r[0]['folder'], $token); +} -function attach_can_view_folder($uid,$ob_hash,$folder_hash) { - $sql_extra = permissions_sql($uid,$ob_hash); - $hash = $folder_hash; +function attach_can_view_folder($uid, $ob_hash, $folder_hash, $token = EMPTY_STR) { - if(! $folder_hash) { - return perm_is_allowed($uid,$ob_hash,'view_storage'); + if(!$folder_hash && !$token) { + return perm_is_allowed($uid, $ob_hash, 'view_storage'); } + $sql_extra = permissions_sql($uid, $ob_hash, '', $token); do { $r = q("select folder from attach where hash = '%s' and uid = %d $sql_extra", - dbesc($hash), + dbesc($folder_hash), intval($uid) ); if(! $r) return false; - $hash = $r[0]['folder']; - } while($hash); + $folder_hash = $r[0]['folder']; + } while($folder_hash); return true; } @@ -400,7 +407,7 @@ function attach_can_view_folder($uid,$ob_hash,$folder_hash) { * * \e string \b message (optional) only when success is false * * \e array \b data array of attach DB entry without data component */ -function attach_by_hash_nodata($hash, $observer_hash, $rev = 0) { +function attach_by_hash_nodata($hash, $observer_hash, $rev = 0, $token = EMPTY_STR) { $ret = array('success' => false); @@ -425,7 +432,7 @@ function attach_by_hash_nodata($hash, $observer_hash, $rev = 0) { return $ret; } - $sql_extra = permissions_sql($r[0]['uid'], $observer_hash); + $sql_extra = permissions_sql($r[0]['uid'], $observer_hash, '', $token); // Now we'll see if we can access the attachment @@ -440,7 +447,7 @@ function attach_by_hash_nodata($hash, $observer_hash, $rev = 0) { } if($r[0]['folder']) { - $x = attach_can_view_folder($r[0]['uid'], $observer_hash, $r[0]['folder']); + $x = attach_can_view_folder($r[0]['uid'], $observer_hash, $r[0]['folder'], $token); if(! $x) { $ret['message'] = t('Permission denied.'); return $ret; @@ -508,7 +515,7 @@ function attach_store($channel, $observer_hash, $options = '', $arr = null) { $upload_path = $arr['directory'] ?? ''; $visible = $arr['visible'] ?? 0; $notify = $arr['notify'] ?? 0; - + $flags = (($arr && array_key_exists('flags', $arr)) ? intval($arr['flags']) : 0); $observer = array(); $dosync = ((array_key_exists('nosync',$arr) && $arr['nosync']) ? 0 : 1); @@ -933,8 +940,8 @@ function attach_store($channel, $observer_hash, $options = '', $arr = null) { ); } else { - $r = q("INSERT INTO attach ( aid, uid, hash, creator, filename, filetype, folder, filesize, revision, os_storage, is_photo, content, created, edited, os_path, display_path, allow_cid, allow_gid,deny_cid, deny_gid ) - VALUES ( %d, %d, '%s', '%s', '%s', '%s', '%s', %d, %d, %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ", + $r = q("INSERT INTO attach ( aid, uid, hash, creator, filename, filetype, folder, filesize, revision, os_storage, is_photo, flags, content, created, edited, os_path, display_path, allow_cid, allow_gid,deny_cid, deny_gid ) + VALUES ( %d, %d, '%s', '%s', '%s', '%s', '%s', %d, %d, %d, %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ", intval($channel['channel_account_id']), intval($channel_id), dbesc($hash), @@ -946,6 +953,7 @@ function attach_store($channel, $observer_hash, $options = '', $arr = null) { intval(0), intval(1), intval($is_photo), + intval($flags), dbescbin($os_basepath . $os_relpath), dbesc($created), dbesc($created), @@ -1413,6 +1421,23 @@ function attach_change_permissions($channel_id, $resource, $allow_cid, $allow_gi if(! $r) return; + $private = $allow_cid || $allow_gid || $deny_cid || $deny_gid; + + // preserve any existing tokens that may have been set for this file + // @fixme - we need a way to unconditionally clear these if desired. + + if ($private) { + $token_matches = null; + if (preg_match_all('/\<token:(.*?)\>/', $r[0]['allow_cid'], $token_matches, PREG_SET_ORDER)) { + foreach ($token_matches as $m) { + $tok = '<token:' . $m[1] . '>'; + if (!str_contains($allow_cid, $tok)) { + $allow_cid .= $tok; + } + } + } + } + if(intval($r[0]['is_dir'])) { if($recurse) { $r = q("select hash, flags, is_dir from attach where folder = '%s' and uid = %d", |