diff options
Diffstat (limited to 'include/items.php')
-rw-r--r--[-rwxr-xr-x] | include/items.php | 67 |
1 files changed, 51 insertions, 16 deletions
diff --git a/include/items.php b/include/items.php index 5a297c83e..ee6960534 100755..100644 --- a/include/items.php +++ b/include/items.php @@ -7,14 +7,11 @@ require_once('include/crypto.php'); function get_feed_for(&$a, $dfrn_id, $owner_nick, $last_update, $direction = 0) { - // default permissions - anonymous user - - if(! strlen($owner_nick)) - killme(); + $sitefeed = ((strlen($owner_nick)) ? false : true); // not yet implemented, need to rewrite huge chunks of following logic $public_feed = (($dfrn_id) ? false : true); - $starred = false; - $converse = false; + $starred = false; // not yet implemented, possible security issues + $converse = false; if($public_feed && $a->argc > 2) { for($x = 2; $x < $a->argc; $x++) { @@ -25,6 +22,7 @@ function get_feed_for(&$a, $dfrn_id, $owner_nick, $last_update, $direction = 0) } } + // default permissions - anonymous user $sql_extra = " AND `allow_cid` = '' AND `allow_gid` = '' AND `deny_cid` = '' AND `deny_gid` = '' "; @@ -418,7 +416,7 @@ function get_atom_elements($feed,$item) { // the wild, by sanitising it and converting supported tags to bbcode before we rip out any remaining // html. - if((strpos($res['body'],'<') !== false) || (strpos($res['body'],'>') !== false)) { + if((strpos($res['body'],'<') !== false) && (strpos($res['body'],'>') !== false)) { $res['body'] = reltoabs($res['body'],$base_url); @@ -431,14 +429,22 @@ function get_atom_elements($feed,$item) { // we shouldn't need a whitelist, because the bbcode converter // will strip out any unsupported tags. - // $config->set('HTML.Allowed', 'p,b,a[href],i'); $purifier = new HTMLPurifier($config); $res['body'] = $purifier->purify($res['body']); - $res['body'] = html2bbcode($res['body']); + $res['body'] = @html2bbcode($res['body']); + } + elseif(! $have_real_body) { + + // it's not one of our messages and it has no tags + // so it's probably just text. We'll escape it just to be safe. + + $res['body'] = escape_tags($res['body']); } + // this tag is obsolete but we keep it for really old sites + $allow = $item->get_item_tags(NAMESPACE_DFRN,'comment-allow'); if($allow && $allow[0]['data'] == 1) $res['last-child'] = 1; @@ -1092,12 +1098,23 @@ function dfrn_deliver($owner,$contact,$atom, $dissolve = false) { $postvars = array(); $sent_dfrn_id = hex2bin((string) $res->dfrn_id); $challenge = hex2bin((string) $res->challenge); + $perm = (($res->perm) ? $res->perm : null); $dfrn_version = (float) (($res->dfrn_version) ? $res->dfrn_version : 2.0); $rino_allowed = ((intval($res->rino) === 1) ? 1 : 0); $page = (($owner['page-flags'] == PAGE_COMMUNITY) ? 1 : 0); $final_dfrn_id = ''; + if($perm) { + if((($perm == 'rw') && (! intval($contact['writable']))) + || (($perm == 'r') && (intval($contact['writable'])))) { + q("update contact set writable = %d where id = %d limit 1", + intval(($perm == 'rw') ? 1 : 0), + intval($contact['id']) + ); + $contact['writable'] = (string) 1 - intval($contact['writable']); + } + } if(($contact['duplex'] && strlen($contact['pubkey'])) || ($owner['page-flags'] == PAGE_COMMUNITY && strlen($contact['pubkey'])) @@ -1437,7 +1454,7 @@ function consume_feed($xml,$importer,&$contact, &$hub, $datedir = 0, $pass = 0) } if($deleted && is_array($contact)) { $r = q("SELECT `item`.*, `contact`.`self` FROM `item` left join `contact` on `item`.`contact-id` = `contact`.`id` - WHERE `uri` = '%s' AND `item`.`uid` = %d AND `contact-id` = %d LIMIT 1", + WHERE `uri` = '%s' AND `item`.`uid` = %d AND `contact-id` = %d AND NOT `item`.`file` LIKE '%%[%%' LIMIT 1", dbesc($uri), intval($importer['uid']), intval($contact['id']) @@ -1582,9 +1599,10 @@ function consume_feed($xml,$importer,&$contact, &$hub, $datedir = 0, $pass = 0) if(count($r)) { if((x($datarray,'edited') !== false) && (datetime_convert('UTC','UTC',$datarray['edited']) !== $r[0]['edited'])) { - $r = q("UPDATE `item` SET `title` = '%s', `body` = '%s', `edited` = '%s' WHERE `uri` = '%s' AND `uid` = %d LIMIT 1", + $r = q("UPDATE `item` SET `title` = '%s', `body` = '%s', `tag` = '%s', `edited` = '%s' WHERE `uri` = '%s' AND `uid` = %d LIMIT 1", dbesc($datarray['title']), dbesc($datarray['body']), + dbesc($datarray['tag']), dbesc(datetime_convert('UTC','UTC',$datarray['edited'])), dbesc($item_id), intval($importer['uid']) @@ -1727,9 +1745,10 @@ function consume_feed($xml,$importer,&$contact, &$hub, $datedir = 0, $pass = 0) if(count($r)) { if((x($datarray,'edited') !== false) && (datetime_convert('UTC','UTC',$datarray['edited']) !== $r[0]['edited'])) { - $r = q("UPDATE `item` SET `title` = '%s', `body` = '%s', `edited` = '%s' WHERE `uri` = '%s' AND `uid` = %d LIMIT 1", + $r = q("UPDATE `item` SET `title` = '%s', `body` = '%s', `tag` = '%s', `edited` = '%s' WHERE `uri` = '%s' AND `uid` = %d LIMIT 1", dbesc($datarray['title']), dbesc($datarray['body']), + dbesc($datarray['tag']), dbesc(datetime_convert('UTC','UTC',$datarray['edited'])), dbesc($item_id), intval($importer['uid']) @@ -1800,7 +1819,7 @@ function consume_feed($xml,$importer,&$contact, &$hub, $datedir = 0, $pass = 0) // but otherwise there's a possible data mixup on the sender's system. // the tgroup delivery code called from item_store will correct it if it's a forum, // but we're going to unconditionally correct it here so that the post will always be owned by our contact. - logger('local_delivery: Correcting item owner.', LOGGER_DEBUG); + logger('consume_feed: Correcting item owner.', LOGGER_DEBUG); $datarray['owner-name'] = $contact['name']; $datarray['owner-link'] = $contact['url']; $datarray['owner-avatar'] = $contact['thumb']; @@ -1896,6 +1915,14 @@ function local_delivery($importer,$data) { ); if(count($r)) { $fid = $r[0]['id']; + + // OK, we do. Do we already have an introduction for this person ? + $r = q("select id from intro where uid = %d and fid = %d limit 1", + intval($fsugg['uid']), + intval($fid) + ); + if(count($r)) + return 0; } if(! $fid) $r = q("INSERT INTO `fcontact` ( `name`,`url`,`photo`,`request` ) VALUES ( '%s', '%s', '%s', '%s' ) ", @@ -1916,6 +1943,7 @@ function local_delivery($importer,$data) { else return 0; + $hash = random_string(); $r = q("INSERT INTO `intro` ( `uid`, `fid`, `contact-id`, `note`, `hash`, `datetime`, `blocked` ) @@ -2036,7 +2064,7 @@ function local_delivery($importer,$data) { if($deleted) { $r = q("SELECT `item`.*, `contact`.`self` FROM `item` left join contact on `item`.`contact-id` = `contact`.`id` - WHERE `uri` = '%s' AND `item`.`uid` = %d AND `contact-id` = %d LIMIT 1", + WHERE `uri` = '%s' AND `item`.`uid` = %d AND `contact-id` = %d AND NOT `item`.`file` LIKE '%%[%%' LIMIT 1", dbesc($uri), intval($importer['importer_uid']), intval($importer['id']) @@ -2332,9 +2360,10 @@ function local_delivery($importer,$data) { if(count($r)) { if((x($datarray,'edited') !== false) && (datetime_convert('UTC','UTC',$datarray['edited']) !== $r[0]['edited'])) { - $r = q("UPDATE `item` SET `title` = '%s', `body` = '%s', `edited` = '%s' WHERE `uri` = '%s' AND `uid` = %d LIMIT 1", + $r = q("UPDATE `item` SET `title` = '%s', `body` = '%s', `tag` = '%s', `edited` = '%s' WHERE `uri` = '%s' AND `uid` = %d LIMIT 1", dbesc($datarray['title']), dbesc($datarray['body']), + dbesc($datarray['tag']), dbesc(datetime_convert('UTC','UTC',$datarray['edited'])), dbesc($item_id), intval($importer['importer_uid']) @@ -2497,9 +2526,10 @@ function local_delivery($importer,$data) { if(count($r)) { if((x($datarray,'edited') !== false) && (datetime_convert('UTC','UTC',$datarray['edited']) !== $r[0]['edited'])) { - $r = q("UPDATE `item` SET `title` = '%s', `body` = '%s', `edited` = '%s' WHERE `uri` = '%s' AND `uid` = %d LIMIT 1", + $r = q("UPDATE `item` SET `title` = '%s', `body` = '%s', `tag` = '%s', `edited` = '%s' WHERE `uri` = '%s' AND `uid` = %d LIMIT 1", dbesc($datarray['title']), dbesc($datarray['body']), + dbesc($datarray['tag']), dbesc(datetime_convert('UTC','UTC',$datarray['edited'])), dbesc($item_id), intval($importer['importer_uid']) @@ -2925,6 +2955,11 @@ function item_expire($uid,$days) { foreach($r as $item) { + // don't expire filed items + + if(strpos($item['file'],'[') !== false) + continue; + // Only expire posts, not photos and photo comments if($expire_photos==0 && strlen($item['resource-id'])) |