diff options
Diffstat (limited to 'include/security.php')
| -rw-r--r-- | include/security.php | 66 |
1 files changed, 49 insertions, 17 deletions
diff --git a/include/security.php b/include/security.php index 0c3dc29d6..9a25d9e0e 100644 --- a/include/security.php +++ b/include/security.php @@ -71,9 +71,8 @@ function authenticate_success($user_record, $login_initial = false, $interactive /* This account has never created a channel. Send them to new_channel by default */ if($a->module === 'login') { - $r = q("select count(channel_id) as total from channel where channel_account_id = %d and not ( channel_pageflags & %d)>0", - intval($a->account['account_id']), - intval(PAGE_REMOVED) + $r = q("select count(channel_id) as total from channel where channel_account_id = %d and channel_removed = 0 ", + intval($a->account['account_id']) ); if(($r) && (! $r[0]['total'])) goaway(z_root() . '/new_channel'); @@ -94,20 +93,17 @@ function change_channel($change_channel) { $ret = false; if($change_channel) { - $r = q("select channel.*, xchan.* from channel left join xchan on channel.channel_hash = xchan.xchan_hash where channel_id = %d and channel_account_id = %d and not ( channel_pageflags & %d)>0 limit 1", + $r = q("select channel.*, xchan.* from channel left join xchan on channel.channel_hash = xchan.xchan_hash where channel_id = %d and channel_account_id = %d and channel_removed = 0 limit 1", intval($change_channel), - intval(get_account_id()), - intval(PAGE_REMOVED) + intval(get_account_id()) ); // It's not there. Is this an administrator, and is this the sys channel? if (is_developer()) { if (! $r) { if (is_site_admin()) { - $r = q("select channel.*, xchan.* from channel left join xchan on channel.channel_hash = xchan.xchan_hash where channel_id = %d and ( channel_pageflags & %d) and not (channel_pageflags & %d )>0 limit 1", - intval($change_channel), - intval(PAGE_SYSTEM), - intval(PAGE_REMOVED) + $r = q("select channel.*, xchan.* from channel left join xchan on channel.channel_hash = xchan.xchan_hash where channel_id = %d and channel_system = 1 and channel_removed = 0 limit 1", + intval($change_channel) ); } } @@ -249,6 +245,9 @@ function item_permissions_sql($owner_id, $remote_observer = null) { $observer = (($remote_observer) ? $remote_observer : get_observer_hash()); if($observer) { + + $s = scopes_sql($owner_id,$observer); + $groups = init_groups_visitor($observer); $gs = '<<>>'; // should be impossible to match @@ -259,9 +258,9 @@ function item_permissions_sql($owner_id, $remote_observer = null) { } $regexop = db_getfunc('REGEXP'); $sql = sprintf( - " AND ( NOT (deny_cid like '%s' OR deny_gid $regexop '%s') - AND ( allow_cid like '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '' AND item_private = 0 ) ) - ) + " AND (( NOT (deny_cid like '%s' OR deny_gid $regexop '%s') + AND ( allow_cid like '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '' AND item_private = 0 )) + ) OR ( item_private = 1 $s )) ", dbesc(protect_sprintf( '%<' . $observer . '>%')), dbesc($gs), @@ -275,6 +274,39 @@ function item_permissions_sql($owner_id, $remote_observer = null) { } /** + * Remote visitors also need to be checked against the public_scope parameter if item_private is set. + * This function checks the various permutations of that field for any which apply to this observer. + * + */ + + + +function scopes_sql($uid,$observer) { + $str = " and ( public_policy = 'authenticated' "; + if(! is_foreigner($observer)) + $str .= " or public_policy = 'network: red' "; + if(local_channel()) + $str .= " or public_policy = 'site: " . get_app()->get_hostname() . "' "; + + $ab = q("select * from abook where abook_xchan = '%s' and abook_channel = %d limit 1", + dbesc($observer), + intval($uid) + ); + if(! $ab) + return $str . " ) "; + if($ab[0]['abook_pending']) + $str .= " or public_policy = 'any connections' "; + $str .= " or public_policy = 'contacts' ) "; + return $str; +} + + + + + + + +/** * @param string $observer_hash * * @return string additional SQL where statement @@ -404,9 +436,9 @@ function stream_perms_api_uids($perms = NULL, $limit = 0, $rand = 0 ) { $random_sql = (($rand) ? " ORDER BY " . db_getfunc('RAND') . " " : ''); if(local_channel()) $ret[] = local_channel(); - $r = q("select channel_id from channel where channel_r_stream > 0 and ( channel_r_stream & %d )>0 and ( channel_pageflags & %d ) = 0 $random_sql $limit_sql ", + $r = q("select channel_id from channel where channel_r_stream > 0 and ( channel_r_stream & %d )>0 and ( channel_pageflags & %d ) = 0 and channel_system = 0 and channel_removed = 0 $random_sql $limit_sql ", intval($perms), - intval(PAGE_ADULT|PAGE_CENSORED|PAGE_SYSTEM|PAGE_REMOVED) + intval(PAGE_ADULT|PAGE_CENSORED) ); if($r) { foreach($r as $rr) @@ -437,9 +469,9 @@ function stream_perms_xchans($perms = NULL ) { if(local_channel()) $ret[] = get_observer_hash(); - $r = q("select channel_hash from channel where channel_r_stream > 0 and (channel_r_stream & %d)>0 and not (channel_pageflags & %d)>0", + $r = q("select channel_hash from channel where channel_r_stream > 0 and (channel_r_stream & %d)>0 and not (channel_pageflags & %d)>0 and channel_system = 0 and channel_removed = 0 ", intval($perms), - intval(PAGE_ADULT|PAGE_CENSORED|PAGE_SYSTEM|PAGE_REMOVED) + intval(PAGE_ADULT|PAGE_CENSORED) ); if($r) { foreach($r as $rr) |