diff options
Diffstat (limited to 'include/security.php')
| -rw-r--r-- | include/security.php | 42 |
1 files changed, 18 insertions, 24 deletions
diff --git a/include/security.php b/include/security.php index 216299099..c3b0e9763 100644 --- a/include/security.php +++ b/include/security.php @@ -22,7 +22,7 @@ function authenticate_success($user_record, $login_initial = false, $interactive $a->account = $user_record; $_SESSION['account_id'] = $user_record['account_id']; $_SESSION['authenticated'] = 1; - + if($login_initial || $update_lastlog) { q("update account set account_lastlog = '%s' where account_id = %d", dbesc(datetime_convert()), @@ -150,11 +150,7 @@ function change_channel($change_channel) { */ function permissions_sql($owner_id, $remote_verified = false, $groups = null) { - if(defined('STATUSNET_PRIVACY_COMPATIBILITY')) - return ''; - $local_channel = local_channel(); - $remote_channel = remote_channel(); /** * Construct permissions @@ -173,7 +169,7 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null) { */ if(($local_channel) && ($local_channel == $owner_id)) { - $sql = ''; + $sql = ''; } /** @@ -194,7 +190,7 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null) { if(is_array($groups) && count($groups)) { foreach($groups as $g) $gs .= '|<' . $g . '>'; - } + } $regexop = db_getfunc('REGEXP'); $sql = sprintf( " AND ( NOT (deny_cid like '%s' OR deny_gid $regexop '%s') @@ -223,11 +219,7 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null) { */ function item_permissions_sql($owner_id, $remote_verified = false, $groups = null) { - if(defined('STATUSNET_PRIVACY_COMPATIBILITY')) - return ''; - $local_channel = local_channel(); - $remote_channel = remote_channel(); /** * Construct permissions @@ -246,7 +238,7 @@ function item_permissions_sql($owner_id, $remote_verified = false, $groups = nul } /** - * Authenticated visitor. Unless pre-verified, + * Authenticated visitor. Unless pre-verified, * check that the contact belongs to this $owner_id * and load the groups the visitor belongs to. * If pre-verified, the caller is expected to have already @@ -330,7 +322,7 @@ function public_permissions_sql($observer_hash) { */ function get_form_security_token($typename = '') { $a = get_app(); - + $timestamp = time(); $sec_hash = hash('whirlpool', $a->user['guid'] . $a->user['prvkey'] . session_id() . $timestamp . $typename); @@ -340,16 +332,16 @@ function get_form_security_token($typename = '') { function check_form_security_token($typename = '', $formname = 'form_security_token') { if (!x($_REQUEST, $formname)) return false; $hash = $_REQUEST[$formname]; - + $max_livetime = 10800; // 3 hours - + $a = get_app(); - + $x = explode('.', $hash); if (time() > (IntVal($x[0]) + $max_livetime)) return false; - + $sec_hash = hash('whirlpool', $a->user['guid'] . $a->user['prvkey'] . session_id() . $x[0] . $typename); - + return ($sec_hash == $x[1]); } @@ -404,20 +396,22 @@ function init_groups_visitor($contact_id) { // will likely be too expensive. // Returns a string list of comma separated channel_ids suitable for direct inclusion in a SQL query -function stream_perms_api_uids($perms = NULL ) { +function stream_perms_api_uids($perms = NULL, $limit = 0, $rand = 0 ) { $perms = is_null($perms) ? (PERMS_SITE|PERMS_NETWORK|PERMS_PUBLIC) : $perms; $ret = array(); + $limit_sql = (($limit) ? " LIMIT " . intval($limit) . " " : ''); + $random_sql = (($rand) ? " ORDER BY " . db_getfunc('RAND') . " " : ''); if(local_channel()) $ret[] = local_channel(); - $r = q("select channel_id from channel where channel_r_stream > 0 and (channel_r_stream & %d)>0 and not (channel_pageflags & %d)>0", + $r = q("select channel_id from channel where channel_r_stream > 0 and ( channel_r_stream & %d )>0 and ( channel_pageflags & %d ) = 0 $random_sql $limit_sql ", intval($perms), intval(PAGE_ADULT|PAGE_CENSORED|PAGE_SYSTEM|PAGE_REMOVED) ); if($r) { foreach($r as $rr) if(! in_array($rr['channel_id'], $ret)) - $ret[] = $rr['channel_id']; + $ret[] = $rr['channel_id']; } $str = ''; @@ -425,7 +419,7 @@ function stream_perms_api_uids($perms = NULL ) { foreach($ret as $rr) { if($str) $str .= ','; - $str .= intval($rr); + $str .= intval($rr); } } logger('stream_perms_api_uids: ' . $str, LOGGER_DEBUG); @@ -447,7 +441,7 @@ function stream_perms_xchans($perms = NULL ) { if($r) { foreach($r as $rr) if(! in_array($rr['channel_hash'], $ret)) - $ret[] = $rr['channel_hash']; + $ret[] = $rr['channel_hash']; } $str = ''; @@ -455,7 +449,7 @@ function stream_perms_xchans($perms = NULL ) { foreach($ret as $rr) { if($str) $str .= ','; - $str .= "'" . dbesc($rr) . "'"; + $str .= "'" . dbesc($rr) . "'"; } } logger('stream_perms_xchans: ' . $str, LOGGER_DEBUG); |