aboutsummaryrefslogtreecommitdiffstats
path: root/include/security.php
diff options
context:
space:
mode:
Diffstat (limited to 'include/security.php')
-rw-r--r--include/security.php66
1 files changed, 49 insertions, 17 deletions
diff --git a/include/security.php b/include/security.php
index 0c3dc29d6..9a25d9e0e 100644
--- a/include/security.php
+++ b/include/security.php
@@ -71,9 +71,8 @@ function authenticate_success($user_record, $login_initial = false, $interactive
/* This account has never created a channel. Send them to new_channel by default */
if($a->module === 'login') {
- $r = q("select count(channel_id) as total from channel where channel_account_id = %d and not ( channel_pageflags & %d)>0",
- intval($a->account['account_id']),
- intval(PAGE_REMOVED)
+ $r = q("select count(channel_id) as total from channel where channel_account_id = %d and channel_removed = 0 ",
+ intval($a->account['account_id'])
);
if(($r) && (! $r[0]['total']))
goaway(z_root() . '/new_channel');
@@ -94,20 +93,17 @@ function change_channel($change_channel) {
$ret = false;
if($change_channel) {
- $r = q("select channel.*, xchan.* from channel left join xchan on channel.channel_hash = xchan.xchan_hash where channel_id = %d and channel_account_id = %d and not ( channel_pageflags & %d)>0 limit 1",
+ $r = q("select channel.*, xchan.* from channel left join xchan on channel.channel_hash = xchan.xchan_hash where channel_id = %d and channel_account_id = %d and channel_removed = 0 limit 1",
intval($change_channel),
- intval(get_account_id()),
- intval(PAGE_REMOVED)
+ intval(get_account_id())
);
// It's not there. Is this an administrator, and is this the sys channel?
if (is_developer()) {
if (! $r) {
if (is_site_admin()) {
- $r = q("select channel.*, xchan.* from channel left join xchan on channel.channel_hash = xchan.xchan_hash where channel_id = %d and ( channel_pageflags & %d) and not (channel_pageflags & %d )>0 limit 1",
- intval($change_channel),
- intval(PAGE_SYSTEM),
- intval(PAGE_REMOVED)
+ $r = q("select channel.*, xchan.* from channel left join xchan on channel.channel_hash = xchan.xchan_hash where channel_id = %d and channel_system = 1 and channel_removed = 0 limit 1",
+ intval($change_channel)
);
}
}
@@ -249,6 +245,9 @@ function item_permissions_sql($owner_id, $remote_observer = null) {
$observer = (($remote_observer) ? $remote_observer : get_observer_hash());
if($observer) {
+
+ $s = scopes_sql($owner_id,$observer);
+
$groups = init_groups_visitor($observer);
$gs = '<<>>'; // should be impossible to match
@@ -259,9 +258,9 @@ function item_permissions_sql($owner_id, $remote_observer = null) {
}
$regexop = db_getfunc('REGEXP');
$sql = sprintf(
- " AND ( NOT (deny_cid like '%s' OR deny_gid $regexop '%s')
- AND ( allow_cid like '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '' AND item_private = 0 ) )
- )
+ " AND (( NOT (deny_cid like '%s' OR deny_gid $regexop '%s')
+ AND ( allow_cid like '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '' AND item_private = 0 ))
+ ) OR ( item_private = 1 $s ))
",
dbesc(protect_sprintf( '%<' . $observer . '>%')),
dbesc($gs),
@@ -275,6 +274,39 @@ function item_permissions_sql($owner_id, $remote_observer = null) {
}
/**
+ * Remote visitors also need to be checked against the public_scope parameter if item_private is set.
+ * This function checks the various permutations of that field for any which apply to this observer.
+ *
+ */
+
+
+
+function scopes_sql($uid,$observer) {
+ $str = " and ( public_policy = 'authenticated' ";
+ if(! is_foreigner($observer))
+ $str .= " or public_policy = 'network: red' ";
+ if(local_channel())
+ $str .= " or public_policy = 'site: " . get_app()->get_hostname() . "' ";
+
+ $ab = q("select * from abook where abook_xchan = '%s' and abook_channel = %d limit 1",
+ dbesc($observer),
+ intval($uid)
+ );
+ if(! $ab)
+ return $str . " ) ";
+ if($ab[0]['abook_pending'])
+ $str .= " or public_policy = 'any connections' ";
+ $str .= " or public_policy = 'contacts' ) ";
+ return $str;
+}
+
+
+
+
+
+
+
+/**
* @param string $observer_hash
*
* @return string additional SQL where statement
@@ -404,9 +436,9 @@ function stream_perms_api_uids($perms = NULL, $limit = 0, $rand = 0 ) {
$random_sql = (($rand) ? " ORDER BY " . db_getfunc('RAND') . " " : '');
if(local_channel())
$ret[] = local_channel();
- $r = q("select channel_id from channel where channel_r_stream > 0 and ( channel_r_stream & %d )>0 and ( channel_pageflags & %d ) = 0 $random_sql $limit_sql ",
+ $r = q("select channel_id from channel where channel_r_stream > 0 and ( channel_r_stream & %d )>0 and ( channel_pageflags & %d ) = 0 and channel_system = 0 and channel_removed = 0 $random_sql $limit_sql ",
intval($perms),
- intval(PAGE_ADULT|PAGE_CENSORED|PAGE_SYSTEM|PAGE_REMOVED)
+ intval(PAGE_ADULT|PAGE_CENSORED)
);
if($r) {
foreach($r as $rr)
@@ -437,9 +469,9 @@ function stream_perms_xchans($perms = NULL ) {
if(local_channel())
$ret[] = get_observer_hash();
- $r = q("select channel_hash from channel where channel_r_stream > 0 and (channel_r_stream & %d)>0 and not (channel_pageflags & %d)>0",
+ $r = q("select channel_hash from channel where channel_r_stream > 0 and (channel_r_stream & %d)>0 and not (channel_pageflags & %d)>0 and channel_system = 0 and channel_removed = 0 ",
intval($perms),
- intval(PAGE_ADULT|PAGE_CENSORED|PAGE_SYSTEM|PAGE_REMOVED)
+ intval(PAGE_ADULT|PAGE_CENSORED)
);
if($r) {
foreach($r as $rr)