aboutsummaryrefslogtreecommitdiffstats
path: root/include/security.php
diff options
context:
space:
mode:
Diffstat (limited to 'include/security.php')
-rw-r--r--include/security.php142
1 files changed, 90 insertions, 52 deletions
diff --git a/include/security.php b/include/security.php
index e691939fb..a87442d42 100644
--- a/include/security.php
+++ b/include/security.php
@@ -1,4 +1,4 @@
-<?php
+<?php /** @file */
function authenticate_success($user_record, $login_initial = false, $interactive = false,$return = false,$update_lastlog = false) {
@@ -34,6 +34,7 @@ function authenticate_success($user_record, $login_initial = false, $interactive
else {
$_SESSION['uid'] = $user_record['uid'];
$_SESSION['theme'] = $user_record['theme'];
+ $_SESSION['mobile_theme'] = get_pconfig($user_record['uid'], 'system', 'mobile_theme');
$_SESSION['authenticated'] = 1;
$_SESSION['page_flags'] = $user_record['page-flags'];
$_SESSION['my_url'] = $a->get_baseurl() . '/channel/' . $user_record['nickname'];
@@ -148,6 +149,7 @@ function change_channel($change_channel) {
$_SESSION['uid'] = intval($r[0]['channel_id']);
get_app()->set_channel($r[0]);
$_SESSION['theme'] = $r[0]['channel_theme'];
+ $_SESSION['mobile_theme'] = get_pconfig(local_user(),'system', 'mobile_theme');
date_default_timezone_set($r[0]['channel_timezone']);
$ret = $r[0];
}
@@ -161,6 +163,9 @@ function change_channel($change_channel) {
get_app()->set_observer($x[0]);
get_app()->set_perms(get_all_perms(local_user(),$hash));
}
+ if(! is_dir('store/' . $r[0]['channel_address']))
+ @mkdir('store/' . $r[0]['channel_address'], STORAGE_DEFAULT_PERMISSIONS,true);
+
}
return $ret;
@@ -205,26 +210,29 @@ function permissions_sql($owner_id,$remote_verified = false,$groups = null) {
else {
- $observer = get_app()->get_observer();
- $groups = init_groups_visitor($remote_user);
-
- $gs = '<<>>'; // should be impossible to match
-
- if(is_array($groups) && count($groups)) {
- foreach($groups as $g)
- $gs .= '|<' . $g . '>';
- }
- $sql = sprintf(
- " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
- AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
- )
- ",
- dbesc(protect_sprintf( '%<' . $remote_user . '>%')),
- dbesc($gs),
- dbesc(protect_sprintf( '%<' . $remote_user . '>%')),
- dbesc($gs)
- );
+ $observer = get_observer_hash();
+ if($observer) {
+ $groups = init_groups_visitor($observer);
+
+ $gs = '<<>>'; // should be impossible to match
+
+ if(is_array($groups) && count($groups)) {
+ foreach($groups as $g)
+ $gs .= '|<' . $g . '>';
+ }
+ $sql = sprintf(
+ " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
+ AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
+ )
+ ",
+ dbesc(protect_sprintf( '%<' . $observer . '>%')),
+ dbesc($gs),
+ dbesc(protect_sprintf( '%<' . $observer . '>%')),
+ dbesc($gs)
+ );
+ }
}
+
return $sql;
}
@@ -260,25 +268,28 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null)
else {
- $observer = get_app()->get_observer();
- $groups = init_groups_visitor($remote_user);
-
- $gs = '<<>>'; // should be impossible to match
-
- if(is_array($groups) && count($groups)) {
- foreach($groups as $g)
- $gs .= '|<' . $g . '>';
- }
- $sql = sprintf(
- " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
- AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
- )
- ",
- dbesc(protect_sprintf( '%<' . $remote_user . '>%')),
- dbesc($gs),
- dbesc(protect_sprintf( '%<' . $remote_user . '>%')),
- dbesc($gs)
- );
+ $observer = get_observer_hash();
+
+ if($observer) {
+ $groups = init_groups_visitor($observer);
+
+ $gs = '<<>>'; // should be impossible to match
+
+ if(is_array($groups) && count($groups)) {
+ foreach($groups as $g)
+ $gs .= '|<' . $g . '>';
+ }
+ $sql = sprintf(
+ " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
+ AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
+ )
+ ",
+ dbesc(protect_sprintf( '%<' . $observer . '>%')),
+ dbesc($gs),
+ dbesc(protect_sprintf( '%<' . $observer . '>%')),
+ dbesc($gs)
+ );
+ }
}
return $sql;
}
@@ -294,16 +305,19 @@ function public_permissions_sql($observer_hash) {
foreach($groups as $g)
$gs .= '|<' . $g . '>';
}
- $sql = sprintf(
- " OR (( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
- AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
- ))
- ",
- dbesc(protect_sprintf( '%<' . $observer_hash . '>%')),
- dbesc($gs),
- dbesc(protect_sprintf( '%<' . $observer_hash . '>%')),
- dbesc($gs)
- );
+ $sql = '';
+ if($observer_hash) {
+ $sql = sprintf(
+ " OR (( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
+ AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
+ ))
+ ",
+ dbesc(protect_sprintf( '%<' . $observer_hash . '>%')),
+ dbesc($gs),
+ dbesc(protect_sprintf( '%<' . $observer_hash . '>%')),
+ dbesc($gs)
+ );
+ }
return $sql;
}
@@ -375,12 +389,12 @@ function check_form_security_token_ForbiddenOnErr($typename = '', $formname = 'f
if(! function_exists('init_groups_visitor')) {
function init_groups_visitor($contact_id) {
$groups = array();
- $r = q("SELECT gid FROM group_member WHERE xchan = '%s' ",
+ $r = q("SELECT hash FROM `groups` left join group_member on groups.id = group_member.gid WHERE xchan = '%s' ",
dbesc($contact_id)
);
if(count($r)) {
foreach($r as $rr)
- $groups[] = $rr['gid'];
+ $groups[] = $rr['hash'];
}
return $groups;
}}
@@ -401,7 +415,7 @@ function stream_perms_api_uids($perms_min = PERMS_SITE) {
$ret = array();
if(local_user())
$ret[] = local_user();
- $r = q("select channel_id from channel where channel_r_stream <= %d",
+ $r = q("select channel_id from channel where channel_r_stream > 0 and channel_r_stream <= %d",
intval($perms_min)
);
if($r)
@@ -416,6 +430,30 @@ function stream_perms_api_uids($perms_min = PERMS_SITE) {
$str .= ',';
$str .= intval($rr);
}
+logger('stream_perms_api_uids: ' . $str);
return $str;
}
+function stream_perms_xchans($perms_min = PERMS_SITE) {
+ $ret = array();
+ if(local_user())
+ $ret[] = get_observer_hash();
+
+ $r = q("select channel_hash from channel where channel_r_stream > 0 and channel_r_stream <= %d",
+ intval($perms_min)
+ );
+ if($r)
+ foreach($r as $rr)
+ if(! in_array($rr['channel_hash'],$ret))
+ $ret[] = $rr['channel_hash'];
+
+ $str = '';
+ if($ret)
+ foreach($ret as $rr) {
+ if($str)
+ $str .= ',';
+ $str .= "'" . dbesc($rr) . "'";
+ }
+logger('stream_perms_xchans: ' . $str);
+ return $str;
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-07 05:59:43 +0000