aboutsummaryrefslogtreecommitdiffstats
path: root/include/items.php
diff options
context:
space:
mode:
Diffstat (limited to 'include/items.php')
-rwxr-xr-xinclude/items.php32
1 files changed, 28 insertions, 4 deletions
diff --git a/include/items.php b/include/items.php
index 800684ae2..28aa632ca 100755
--- a/include/items.php
+++ b/include/items.php
@@ -1429,6 +1429,8 @@ function item_store($arr,$allow_exec = false) {
return ret;
}
+ $uplinked_comment = false;
+
// If a page layout is provided, ensure it exists and belongs to us.
if(array_key_exists('layout_mid',$arr) && $arr['layout_mid']) {
@@ -1620,6 +1622,16 @@ function item_store($arr,$allow_exec = false) {
if($r[0]['item_flags'] & ITEM_WALL)
$arr['item_flags'] = $arr['item_flags'] | ITEM_WALL;
+
+ // An uplinked comment might arrive with a downstream owner.
+ // Fix it.
+
+ if($r[0]['owner_xchan'] !== $arr['owner_xchan']) {
+ $arr['owner_xchan'] = $r[0]['owner_xchan'];
+ $uplinked_comment = true;
+ }
+
+
// if the parent is private, force privacy for the entire conversation
// This differs from the above settings as it subtly allows comments from
// email correspondents to be private even if the overall thread is not.
@@ -2136,11 +2148,9 @@ function tag_deliver($uid,$item_id) {
intval($uid)
);
-// issue #59
-// FIXME - check security on post and allowed senders, right now we just allow it. The author *may* be foreign and the original owner is lost on our copy of the post. So this could be very hard to verify. For instance what happens if the top-level post was a wall-to-wall?
-// if(($x) && ($x[0]['item_flags'] & ITEM_UPLINK) && ($x[0]['author_xchan'] == $item['author_xchan'])) {
+
if(($x) && ($x[0]['item_flags'] & ITEM_UPLINK)) {
-// logger('tag_deliver: creating second delivery chain for owner comment.');
+
logger('tag_deliver: creating second delivery chain for comment to tagged post.');
// now change this copy of the post to a forum head message and deliver to all the tgroup members
@@ -2150,6 +2160,14 @@ function tag_deliver($uid,$item_id) {
$flag_bits = ITEM_WALL|ITEM_ORIGIN;
+ // maintain the original source, which will be the original item owner and was stored in source_xchan
+ // when we created the delivery fork
+
+ $r = q("update item set source_xchan = '%s' where id = %d limit 1",
+ dbesc($x[0]['source_xchan']),
+ intval($item_id)
+ );
+
$r = q("update item set item_flags = ( item_flags | %d ), owner_xchan = '%s', allow_cid = '%s', allow_gid = '%s',
deny_cid = '%s', deny_gid = '%s', item_private = %d where id = %d limit 1",
intval($flag_bits),
@@ -2249,6 +2267,12 @@ function tag_deliver($uid,$item_id) {
$flag_bits = ITEM_WALL|ITEM_ORIGIN|ITEM_UPLINK;
+ // preserve the source
+
+ $r = q("update item set source_xchan = owner_xchan where id = %d limit 1",
+ intval($item_id)
+ );
+
$r = q("update item set item_flags = ( item_flags | %d ), owner_xchan = '%s', allow_cid = '%s', allow_gid = '%s',
deny_cid = '%s', deny_gid = '%s', item_private = %d where id = %d limit 1",
intval($flag_bits),