diff options
Diffstat (limited to 'include')
-rw-r--r-- | include/ItemObject.php | 2 | ||||
-rw-r--r-- | include/attach.php | 4 | ||||
-rw-r--r-- | include/config.php | 36 | ||||
-rw-r--r-- | include/conversation.php | 2 | ||||
-rw-r--r-- | include/enotify.php | 17 | ||||
-rwxr-xr-x | include/items.php | 185 | ||||
-rw-r--r-- | include/message.php | 94 | ||||
-rw-r--r-- | include/notifier.php | 5 | ||||
-rw-r--r-- | include/photo/photo_imagick.php | 4 | ||||
-rw-r--r-- | include/security.php | 82 | ||||
-rwxr-xr-x | include/text.php | 18 | ||||
-rw-r--r-- | include/zot.php | 25 |
12 files changed, 295 insertions, 179 deletions
diff --git a/include/ItemObject.php b/include/ItemObject.php index b31e60cbc..8c8c0ee2a 100644 --- a/include/ItemObject.php +++ b/include/ItemObject.php @@ -262,7 +262,7 @@ class Item extends BaseObject { } } - $result['private'] = $item['private']; + $result['private'] = $item['item_private']; $result['toplevel'] = ($this->is_toplevel() ? 'toplevel_item' : ''); if($this->is_threaded()) { diff --git a/include/attach.php b/include/attach.php index 38a011bcb..46d406f4b 100644 --- a/include/attach.php +++ b/include/attach.php @@ -193,13 +193,13 @@ function attach_by_hash($hash,$rev = 0) { $sql_extra = permissions_sql($r[0]['uid']); // Now we'll see if we can access the attachment - +dbg(1); $r = q("SELECT * FROM attach WHERE hash = '%s' and uid = %d $sql_extra LIMIT 1", dbesc($hash), intval($r[0]['uid']) ); - +dbg(0); if(! $r) { $ret['message'] = t('Permission denied.'); return $ret; diff --git a/include/config.php b/include/config.php index 1f7a4dbd7..38840f5e4 100644 --- a/include/config.php +++ b/include/config.php @@ -130,20 +130,12 @@ function load_pconfig($uid,$family = '') { if(! array_key_exists($uid,$a->config)) $a->config[$uid] = array(); - if(($family) && (! array_key_exists($family,$a->config[$uid]))) - $a->config[$uid][$family] = array(); - if($family) { - $r = q("SELECT * FROM `pconfig` WHERE `cat` = '%s' AND `uid` = %d", - dbesc($family), - intval($uid) - ); - } - else { - $r = q("SELECT * FROM `pconfig` WHERE `uid` = %d", - intval($uid) - ); - } + // family is no longer used - load entire user config + + $r = q("SELECT * FROM `pconfig` WHERE `uid` = %d", + intval($uid) + ); if($r) { foreach($r as $rr) { @@ -266,20 +258,12 @@ function load_xconfig($xchan,$family = '') { if(! array_key_exists($xchan,$a->config)) $a->config[$xchan] = array(); - if(($family) && (! array_key_exists($family,$a->config[$xchan]))) - $a->config[$xchan][$family] = array(); - if($family) { - $r = q("SELECT * FROM `xconfig` WHERE `cat` = '%s' AND `xchan` = '%s'", - dbesc($family), - dbesc($xchan) - ); - } - else { - $r = q("SELECT * FROM `xconfig` WHERE `xchan` = '%s'", - dbesc($xchan) - ); - } + // family is no longer used. Entire config is loaded + + $r = q("SELECT * FROM `xconfig` WHERE `xchan` = '%s'", + dbesc($xchan) + ); if($r) { foreach($r as $rr) { diff --git a/include/conversation.php b/include/conversation.php index 1023c068d..61b563a5d 100644 --- a/include/conversation.php +++ b/include/conversation.php @@ -1128,6 +1128,8 @@ function conv_sort($arr,$order) { usort($parents,'sort_thr_created'); elseif(stristr($order,'commented')) usort($parents,'sort_thr_commented'); + elseif(stristr($order,'ascending')) + usort($parents,'sort_thr_created_rev'); if(count($parents)) foreach($parents as $i=>$_x) diff --git a/include/enotify.php b/include/enotify.php index 3b7a643ed..fc8eb6439 100644 --- a/include/enotify.php +++ b/include/enotify.php @@ -33,7 +33,7 @@ function notification($params) { push_lang($recip['account_language']); // should probably have a channel language - $banner = t('Red Notification'); + $banner = t('Red Matrix Notification'); $product = RED_PLATFORM; $siteurl = $a->get_baseurl(true); $thanks = t('Thank You,'); @@ -89,7 +89,7 @@ function notification($params) { intval($recip['channel_id']) ); if($p) { - logger('notification comment already notified'); + logger('notification: comment already notified'); pop_lang(); return; } @@ -168,6 +168,19 @@ function notification($params) { } if($params['type'] == NOTIFY_TAGSELF) { + + $p = null; + $p = q("select id from notify where link = '%s' and uid = %d limit 1", + dbesc($params['link']), + intval($recip['channel_id']) + ); + if($p) { + logger('enotify: tag: already notified about this post'); + pop_lang(); + return; + } + + $subject = sprintf( t('[Red:Notify] %s tagged you') , $sender['xchan_name']); $preamble = sprintf( t('%1$s tagged you at %2$s') , $sender['xchan_name'], $sitename); $epreamble = sprintf( t('%1$s [zrl=%2$s]tagged you[/zrl].') , diff --git a/include/items.php b/include/items.php index 863fa419b..bacb68909 100755 --- a/include/items.php +++ b/include/items.php @@ -491,7 +491,6 @@ function title_is_body($title, $body) { function get_item_elements($x) { $arr = array(); - $arr['body'] = (($x['body']) ? htmlentities($x['body'],ENT_COMPAT,'UTF-8',false) : ''); $arr['created'] = datetime_convert('UTC','UTC',$x['created']); @@ -506,6 +505,11 @@ function get_item_elements($x) { $arr['edited'] = datetime_convert(); $arr['title'] = (($x['title']) ? htmlentities($x['title'], ENT_COMPAT,'UTF-8',false) : ''); + + if(mb_strlen($arr['title']) > 255) + $arr['title'] = mb_substr($arr['title'],0,255); + + $arr['app'] = (($x['app']) ? htmlentities($x['app'], ENT_COMPAT,'UTF-8',false) : ''); $arr['mid'] = (($x['message_id']) ? htmlentities($x['message_id'], ENT_COMPAT,'UTF-8',false) : ''); $arr['parent_mid'] = (($x['message_top']) ? htmlentities($x['message_top'], ENT_COMPAT,'UTF-8',false) : ''); @@ -528,6 +532,21 @@ function get_item_elements($x) { $arr['item_private'] = ((array_key_exists('flags',$x) && is_array($x['flags']) && in_array('private',$x['flags'])) ? 1 : 0); + $arr['item_flags'] = 0; + + // if it's a private post, encrypt it in the DB. + // We have to do that here because we need to cleanse the input and prevent bad stuff from getting in, + // and we need plaintext to do that. + + if(intval($arr['item_private'])) { + $arr['item_flags'] = $arr['item_flags'] | ITEM_OBSCURED; + $key = get_config('system','pubkey'); + if($arr['title']) + $arr['title'] = json_encode(aes_encapsulate($arr['title'],$key)); + if($arr['body']) + $arr['body'] = json_encode(aes_encapsulate($arr['body'],$key)); + } + if(array_key_exists('flags',$x) && in_array('deleted',$x['flags'])) $arr['item_restrict'] = ITEM_DELETED; @@ -599,6 +618,14 @@ function encode_item($item) { $scope = map_scope($public_scope); $c_scope = map_scope($comment_scope); + if(array_key_exists('item_flags',$item) && ($item['item_flags'] & ITEM_OBSCURED)) { + $key = get_config('system','prvkey'); + if($item['title']) + $item['title'] = aes_unencapsulate(json_decode($item['title'],true),$key); + if($item['body']) + $item['body'] = aes_unencapsulate(json_decode($item['body'],true),$key); + } + if($item['item_restrict'] & ITEM_DELETED) { $x['message_id'] = $item['mid']; $x['created'] = $item['created']; @@ -791,7 +818,13 @@ function encode_mail($item) { $x = array(); $x['type'] = 'mail'; - logger('encode_mail: ' . print_r($item,true)); + if(array_key_exists('mail_flags',$item) && ($item['mail_flags'] & MAIL_OBSCURED)) { + $key = get_config('system','prvkey'); + if($item['title']) + $item['title'] = aes_unencapsulate(json_decode($item['title'],true),$key); + if($item['body']) + $item['body'] = aes_unencapsulate(json_decode($item['body'],true),$key); + } $x['message_id'] = $item['mid']; $x['message_parent'] = $item['parent_mid']; @@ -803,9 +836,6 @@ function encode_mail($item) { $x['flags'] = array(); - if($item['mail_flags'] & MAIL_OBSCURED) - $x['flags'][] = 'obscured'; - if($item['mail_flags'] & MAIL_RECALLED) { $x['flags'][] = 'recalled'; $x['title'] = ''; @@ -832,18 +862,16 @@ function get_mail_elements($x) { if(in_array('recalled',$x['flags'])) { $arr['mail_flags'] |= MAIL_RECALLED; } - if(in_array('obscured',$x['flags'])) { - - $arr['mail_flags'] |= MAIL_OBSCURED; - $arr['body'] = base64url_decode($arr['body']); - $arr['body'] = htmlentities($arr['body'],ENT_COMPAT,'UTF-8',false); - $arr['body'] = base64url_encode($arr['body']); - $arr['title'] = base64url_decode($arr['title']); - $arr['title'] = htmlentities($arr['title'],ENT_COMPAT,'UTF-8',false); - $arr['title'] = base64url_encode($arr['title']); - } } + $key = get_config('system','pubkey'); + $arr['mail_flags'] |= MAIL_OBSCURED; + $arr['body'] = htmlentities($arr['body'],ENT_COMPAT,'UTF-8',false); + if($arr['body']) + $arr['body'] = json_encode(aes_encapsulate($arr['body'],$key)); + $arr['title'] = htmlentities($arr['title'],ENT_COMPAT,'UTF-8',false); + if($arr['title']) + $arr['title'] = json_encode(aes_encapsulate($arr['title'],$key)); if($arr['created'] > datetime_convert()) $arr['created'] = datetime_convert(); @@ -1328,24 +1356,56 @@ function item_store($arr,$force_parent = false) { if(array_key_exists('parent',$arr)) unset($arr['parent']); - $arr['lang'] = detect_language($arr['body']); + $arr['mimetype'] = ((x($arr,'mimetype')) ? notags(trim($arr['mimetype'])) : 'text/bbcode'); + $arr['title'] = ((x($arr,'title')) ? notags(trim($arr['title'])) : ''); + $arr['body'] = ((x($arr,'body')) ? trim($arr['body']) : ''); - $allowed_languages = get_pconfig($arr['uid'],'system','allowed_languages'); + $arr['allow_cid'] = ((x($arr,'allow_cid')) ? trim($arr['allow_cid']) : ''); + $arr['allow_gid'] = ((x($arr,'allow_gid')) ? trim($arr['allow_gid']) : ''); + $arr['deny_cid'] = ((x($arr,'deny_cid')) ? trim($arr['deny_cid']) : ''); + $arr['deny_gid'] = ((x($arr,'deny_gid')) ? trim($arr['deny_gid']) : ''); + $arr['item_private'] = ((x($arr,'item_private')) ? intval($arr['item_private']) : 0 ); + $arr['item_flags'] = ((x($arr,'item_flags')) ? intval($arr['item_flags']) : 0 ); - if((is_array($allowed_languages)) && ($arr['lang']) && (! array_key_exists($arr['lang'],$allowed_languages))) { - $translate = array('item' => $arr, 'from' => $arr['lang'], 'to' => $allowed_languages, 'translated' => false); - call_hooks('item_translate', $translate); - if((! $translate['translated']) && (intval(get_pconfig($arr['uid'],'system','reject_disallowed_languages')))) { - logger('item_store: language ' . $arr['lang'] . ' not accepted for uid ' . $arr['uid']); - return; + // this is a bit messy - we really need an input filter chain that temporarily undoes obscuring + + if($arr['mimetype'] != 'text/html') { + if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false)) + $arr['body'] = escape_tags($arr['body']); + if((strpos($arr['title'],'<') !== false) || (strpos($arr['title'],'>') !== false)) + $arr['title'] = escape_tags($arr['title']); + } + + // only detect language if we have text content, and if the post is private but not yet + // obscured, make it so. + + if(! ($arr['item_flags'] & ITEM_OBSCURED)) { + $arr['lang'] = detect_language($arr['body']); + + $allowed_languages = get_pconfig($arr['uid'],'system','allowed_languages'); + + if((is_array($allowed_languages)) && ($arr['lang']) && (! array_key_exists($arr['lang'],$allowed_languages))) { + $translate = array('item' => $arr, 'from' => $arr['lang'], 'to' => $allowed_languages, 'translated' => false); + call_hooks('item_translate', $translate); + if((! $translate['translated']) && (intval(get_pconfig($arr['uid'],'system','reject_disallowed_languages')))) { + logger('item_store: language ' . $arr['lang'] . ' not accepted for uid ' . $arr['uid']); + return; + } + $arr = $translate['item']; } - $arr = $translate['item']; + if($arr['item_private']) { + $key = get_config('system','pubkey'); + $arr['item_flags'] = $arr['item_flags'] | ITEM_OBSCURED; + if($arr['title']) + $arr['title'] = json_encode(aes_encapsulate($arr['title'],$key)); + if($arr['body']) + $arr['body'] = json_encode(aes_encapsulate($arr['body'],$key)); + } + } - // Shouldn't happen but we want to make absolutely sure it doesn't leak from a plugin. - if((strpos($arr['body'],'<') !== false) || (strpos($arr['body'],'>') !== false)) - $arr['body'] = escape_tags($arr['body']); + if((x($arr,'object')) && is_array($arr['object'])) { activity_sanitise($arr['object']); @@ -1372,8 +1432,6 @@ function item_store($arr,$force_parent = false) { $arr['commented'] = datetime_convert(); $arr['received'] = datetime_convert(); $arr['changed'] = datetime_convert(); - $arr['mimetype'] = ((x($arr,'mimetype')) ? notags(trim($arr['mimetype'])) : 'text/bbcode'); - $arr['title'] = ((x($arr,'title')) ? notags(trim($arr['title'])) : ''); $arr['location'] = ((x($arr,'location')) ? notags(trim($arr['location'])) : ''); $arr['coord'] = ((x($arr,'coord')) ? notags(trim($arr['coord'])) : ''); $arr['parent_mid'] = ((x($arr,'parent_mid')) ? notags(trim($arr['parent_mid'])) : ''); @@ -1384,19 +1442,12 @@ function item_store($arr,$force_parent = false) { $arr['tgt_type'] = ((x($arr,'tgt_type')) ? notags(trim($arr['tgt_type'])) : ''); $arr['target'] = ((x($arr,'target')) ? trim($arr['target']) : ''); $arr['plink'] = ((x($arr,'plink')) ? notags(trim($arr['plink'])) : ''); - $arr['allow_cid'] = ((x($arr,'allow_cid')) ? trim($arr['allow_cid']) : ''); - $arr['allow_gid'] = ((x($arr,'allow_gid')) ? trim($arr['allow_gid']) : ''); - $arr['deny_cid'] = ((x($arr,'deny_cid')) ? trim($arr['deny_cid']) : ''); - $arr['deny_gid'] = ((x($arr,'deny_gid')) ? trim($arr['deny_gid']) : ''); - $arr['item_private'] = ((x($arr,'item_private')) ? intval($arr['item_private']) : 0 ); - $arr['body'] = ((x($arr,'body')) ? trim($arr['body']) : ''); $arr['attach'] = ((x($arr,'attach')) ? notags(trim($arr['attach'])) : ''); $arr['app'] = ((x($arr,'app')) ? notags(trim($arr['app'])) : ''); $arr['item_restrict'] = ((x($arr,'item_restrict')) ? intval($arr['item_restrict']) : 0 ); $arr['comment_policy'] = ((x($arr,'comment_policy')) ? notags(trim($arr['comment_policy'])) : 'contacts' ); - $arr['item_flags'] = ((x($arr,'item_flags')) ? intval($arr['item_flags']) : 0 ); $arr['item_flags'] = $arr['item_flags'] | ITEM_UNSEEN; @@ -1553,7 +1604,7 @@ function item_store($arr,$force_parent = false) { if(strlen($allow_cid) || strlen($allow_gid) || strlen($deny_cid) || strlen($deny_gid)) $private = 1; else - $private = $arr['private']; + $private = $arr['item_private']; // Set parent id - and also make sure to inherit the parent's ACL's. @@ -1574,7 +1625,7 @@ function item_store($arr,$force_parent = false) { $arr['allow_gid'] = $allow_gid; $arr['deny_cid'] = $deny_cid; $arr['deny_gid'] = $deny_gid; - $arr['private'] = $private; + $arr['item_private'] = $private; // Store taxonomy @@ -2050,10 +2101,17 @@ function tgroup_check($uid,$item) { $mention = false; // check that the message originated elsewhere and is a top-level post + // or is a followup and we have already accepted the top level post - if($arr['mid'] != $arr['parent_mid']) + if($item['mid'] != $item['parent_mid']) { + $r = q("select id from item where mid = '%s' and uid = %d limit 1", + dbesc($item['parent_mid']), + intval($uid) + ); + if($r) + return true; return false; - + } if(! perm_is_allowed($uid,$item['author_xchan'],'tag_deliver')) return false; @@ -4712,39 +4770,52 @@ function zot_feed($uid,$observer_xchan,$mindate) { if(! $mindate) $mindate = '0000-00-00 00:00:00'; + $mindate = dbesc($mindate); + if(! perm_is_allowed($uid,$observer_xchan,'view_stream')) { return $result; } -// FIXME - $sql_extra = item_permissions_sql($uid,$remote_contact,$groups); + $sql_extra = item_permissions_sql($uid); - if($mindate != '0000-00-00 00:00:00') + if($mindate != '0000-00-00 00:00:00') { $sql_extra .= " and created > '$mindate' "; + $limit = ""; + } + else + $limit = " limit 0, 50 "; + $items = array(); -// FIXME - // We probably should use two queries and pick up total conversations. - // For now get a chunk of raw posts in ascending created order so that - // hopefully the parent is imported before we see the kids. - // This will fail if there are more than $limit kids and you didn't - // receive the parent via direct delivery - - $limit = 200; - - $items = q("SELECT item.* from item - WHERE uid = %d AND item_restrict = 0 + $r = q("SELECT item.*, item.id as item_id from item + WHERE uid = %d AND item_restrict = 0 and id = parent AND (item_flags & %d) - $sql_extra ORDER BY created ASC limit 0, $limit", + $sql_extra ORDER BY created ASC $limit", intval($uid), intval(ITEM_WALL) ); + if($r) { + + $parents_str = ids_to_querystr($r,'id'); + + $items = q("SELECT `item`.*, `item`.`id` AS `item_id` FROM `item` + WHERE `item`.`uid` = %d AND `item`.`item_restrict` = 0 + AND `item`.`parent` IN ( %s ) ", + intval($uid), + dbesc($parents_str) + ); + + } + if($items) { xchan_query($items); $items = fetch_post_tags($items); - } else { - $items = array(); + require_once('include/conversation.php'); + $items = conv_sort($items,'ascending'); + } + else + $items = array(); foreach($items as $item) $result[] = encode_item($item); diff --git a/include/message.php b/include/message.php index 6c44a54f3..d6294cdba 100644 --- a/include/message.php +++ b/include/message.php @@ -2,6 +2,7 @@ /* Private Message backend API */ +require_once('include/crypto.php'); // send a private message @@ -56,6 +57,28 @@ function send_message($uid = 0, $recipient='', $body='', $subject='', $replyto=' $replyto = $mid; } + /** + * + * When a photo was uploaded into the message using the (profile wall) ajax + * uploader, The permissions are initially set to disallow anybody but the + * owner from seeing it. This is because the permissions may not yet have been + * set for the post. If it's private, the photo permissions should be set + * appropriately. But we didn't know the final permissions on the post until + * now. So now we'll look for links of uploaded messages that are in the + * post and set them to the same permissions as the post itself. + * + */ + + $match = null; + $images = null; + if(preg_match_all("/\[img\](.*?)\[\/img\]/",$body,$match)) + $images = $match[1]; + + $key = get_config('system','pubkey'); + if($subject) + $subject = json_encode(aes_encapsulate($subject,$key)); + if($body) + $body = json_encode(aes_encapsulate($body,$key)); $r = q("INSERT INTO mail ( account_id, mail_flags, channel_id, from_xchan, to_xchan, title, body, mid, parent_mid, created ) VALUES ( %d, %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' )", @@ -64,8 +87,8 @@ function send_message($uid = 0, $recipient='', $body='', $subject='', $replyto=' intval($channel['channel_id']), dbesc($channel['channel_hash']), dbesc($recipient), - dbesc(base64url_encode($subject)), - dbesc(base64url_encode($body)), + dbesc($subject), + dbesc($body), dbesc($mid), dbesc($replyto), dbesc(datetime_convert()) @@ -84,35 +107,18 @@ function send_message($uid = 0, $recipient='', $body='', $subject='', $replyto=' return $ret; } - /** - * - * When a photo was uploaded into the message using the (profile wall) ajax - * uploader, The permissions are initially set to disallow anybody but the - * owner from seeing it. This is because the permissions may not yet have been - * set for the post. If it's private, the photo permissions should be set - * appropriately. But we didn't know the final permissions on the post until - * now. So now we'll look for links of uploaded messages that are in the - * post and set them to the same permissions as the post itself. - * - */ - - $match = null; - - if(preg_match_all("/\[img\](.*?)\[\/img\]/",$body,$match)) { - $images = $match[1]; - if(count($images)) { - foreach($images as $image) { - if(! stristr($image,$a->get_baseurl() . '/photo/')) - continue; - $image_uri = substr($image,strrpos($image,'/') + 1); - $image_uri = substr($image_uri,0, strpos($image_uri,'-')); - $r = q("UPDATE photo SET allow_cid = '%s' WHERE resource_id = '%s' AND uid = %d and allow_cid = '%s'", - dbesc('<' . $recipient . '>'), - dbesc($image_uri), - intval($channel['channel_id']), - dbesc('<' . $channel['channel_hash'] . '>') - ); - } + if(count($images)) { + foreach($images as $image) { + if(! stristr($image,$a->get_baseurl() . '/photo/')) + continue; + $image_uri = substr($image,strrpos($image,'/') + 1); + $image_uri = substr($image_uri,0, strpos($image_uri,'-')); + $r = q("UPDATE photo SET allow_cid = '%s' WHERE resource_id = '%s' AND uid = %d and allow_cid = '%s'", + dbesc('<' . $recipient . '>'), + dbesc($image_uri), + intval($channel['channel_id']), + dbesc('<' . $channel['channel_hash'] . '>') + ); } } @@ -171,11 +177,14 @@ function private_messages_list($uid, $mailbox = '', $start = 0, $numitems = 0) { $r[$k]['to'] = find_xchan_in_array($rr['to_xchan'],$c); $r[$k]['seen'] = (($rr['mail_flags'] & MAIL_SEEN) ? 1 : 0); if($r[$k]['mail_flags'] & MAIL_OBSCURED) { - $r[$k]['title'] = base64url_decode($r[$k]['title']); - $r[$k]['body'] = base64url_decode($r[$k]['body']); - } - + logger('unencrypting'); + $key = get_config('system','prvkey'); + if($r[$k]['title']) + $r[$k]['title'] = aes_unencapsulate(json_decode($r[$k]['title'],true),$key); + if($r[$k]['body']) + $r[$k]['body'] = aes_unencapsulate(json_decode($r[$k]['body'],true),$key); + } } return $r; @@ -209,8 +218,11 @@ function private_messages_fetch_message($channel_id, $messageitem_id, $updatesee $messages[$k]['from'] = find_xchan_in_array($message['from_xchan'],$c); $messages[$k]['to'] = find_xchan_in_array($message['to_xchan'],$c); if($messages[$k]['mail_flags'] & MAIL_OBSCURED) { - $messages[$k]['title'] = base64url_decode($messages[$k]['title']); - $messages[$k]['body'] = base64url_decode($messages[$k]['body']); + $key = get_config('system','prvkey'); + if($messages[$k]['title']) + $messages[$k]['title'] = aes_unencapsulate(json_decode($messages[$k]['title'],true),$key); + if($messages[$k]['body']) + $messages[$k]['body'] = aes_unencapsulate(json_decode($messages[$k]['body'],true),$key); } } @@ -294,10 +306,12 @@ function private_messages_fetch_conversation($channel_id, $messageitem_id, $upda $messages[$k]['from'] = find_xchan_in_array($message['from_xchan'],$c); $messages[$k]['to'] = find_xchan_in_array($message['to_xchan'],$c); if($messages[$k]['mail_flags'] & MAIL_OBSCURED) { - $messages[$k]['title'] = base64url_decode($messages[$k]['title']); - $messages[$k]['body'] = base64url_decode($messages[$k]['body']); + $key = get_config('system','prvkey'); + if($messages[$k]['title']) + $messages[$k]['title'] = aes_unencapsulate(json_decode($messages[$k]['title'],true),$key); + if($messages[$k]['body']) + $messages[$k]['body'] = aes_unencapsulate(json_decode($messages[$k]['body'],true),$key); } - } diff --git a/include/notifier.php b/include/notifier.php index 9a8866223..dea9d6072 100644 --- a/include/notifier.php +++ b/include/notifier.php @@ -328,7 +328,10 @@ function notifier_run($argv, $argc){ // Generic delivery section, we have an encoded item and recipients // Now start the delivery process - logger('notifier: encoded item: ' . print_r($encoded_item,true)); + $x = $encoded_item; + $x['title'] = 'private'; + $x['body'] = 'private'; + logger('notifier: encoded item: ' . print_r($x,true), LOGGER_DATA); stringify_array_elms($recipients); if(! $recipients) diff --git a/include/photo/photo_imagick.php b/include/photo/photo_imagick.php index 2737c8f69..3f84fd06c 100644 --- a/include/photo/photo_imagick.php +++ b/include/photo/photo_imagick.php @@ -153,14 +153,14 @@ class photo_imagick extends photo_driver { do { $this->image->cropImage($w, $h, $x, $y); /** - * We need to remove the canva, + * We need to remove the canvas, * or the image is not resized to the crop: * http://php.net/manual/en/imagick.cropimage.php#97232 */ $this->image->setImagePage(0, 0, 0, 0); } while ($this->image->nextImage()); - $this->doScaleImage($max); + $this->doScaleImage($max,$max); } public function imageString() { diff --git a/include/security.php b/include/security.php index 29a0fc0bc..ef4d5a313 100644 --- a/include/security.php +++ b/include/security.php @@ -205,26 +205,29 @@ function permissions_sql($owner_id,$remote_verified = false,$groups = null) { else { - $observer = get_app()->get_observer(); - $groups = init_groups_visitor($remote_user); - - $gs = '<<>>'; // should be impossible to match - - if(is_array($groups) && count($groups)) { - foreach($groups as $g) - $gs .= '|<' . $g . '>'; - } - $sql = sprintf( - " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s') - AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) - ) - ", - dbesc(protect_sprintf( '%<' . $remote_user . '>%')), - dbesc($gs), - dbesc(protect_sprintf( '%<' . $remote_user . '>%')), - dbesc($gs) - ); + $observer = get_observer_hash(); + if($observer) { + $groups = init_groups_visitor($observer); + + $gs = '<<>>'; // should be impossible to match + + if(is_array($groups) && count($groups)) { + foreach($groups as $g) + $gs .= '|<' . $g . '>'; + } + $sql = sprintf( + " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s') + AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) + ) + ", + dbesc(protect_sprintf( '%<' . $observer . '>%')), + dbesc($gs), + dbesc(protect_sprintf( '%<' . $observer . '>%')), + dbesc($gs) + ); + } } + return $sql; } @@ -260,25 +263,28 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null) else { - $observer = get_app()->get_observer(); - $groups = init_groups_visitor($remote_user); - - $gs = '<<>>'; // should be impossible to match - - if(is_array($groups) && count($groups)) { - foreach($groups as $g) - $gs .= '|<' . $g . '>'; - } - $sql = sprintf( - " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s') - AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) - ) - ", - dbesc(protect_sprintf( '%<' . $remote_user . '>%')), - dbesc($gs), - dbesc(protect_sprintf( '%<' . $remote_user . '>%')), - dbesc($gs) - ); + $observer = get_observer_hash(); + + if($observer) { + $groups = init_groups_visitor($observer); + + $gs = '<<>>'; // should be impossible to match + + if(is_array($groups) && count($groups)) { + foreach($groups as $g) + $gs .= '|<' . $g . '>'; + } + $sql = sprintf( + " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s') + AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) + ) + ", + dbesc(protect_sprintf( '%<' . $observer . '>%')), + dbesc($gs), + dbesc(protect_sprintf( '%<' . $observer . '>%')), + dbesc($gs) + ); + } } return $sql; } diff --git a/include/text.php b/include/text.php index 2d29dff31..814c564a3 100755 --- a/include/text.php +++ b/include/text.php @@ -887,7 +887,7 @@ function smilies($s, $sample = false) { '<img class="smiley" src="' . $a->get_baseurl() . '/images/smiley-facepalm.gif" alt=":facepalm" />', '<img class="smiley" src="' . $a->get_baseurl() . '/images/like.gif" alt=":like" />', '<img class="smiley" src="' . $a->get_baseurl() . '/images/dislike.gif" alt=":dislike" />', - '<img class="smiley" src="' . $a->get_baseurl() . '/images/rhash-16.png" alt="red#" /></a>', + '<a href="http://getzot.com"><img class="smiley" src="' . $a->get_baseurl() . '/images/rhash-16.png" alt="red#" /> the Red Matrix</a>', '<a href="http://friendica.com">~friendica <img class="smiley" src="' . $a->get_baseurl() . '/images/friendica-16.png" alt="~friendica" /></a>' ); @@ -977,11 +977,22 @@ function link_compare($a,$b) { -function prepare_body($item,$attach = false) { +function prepare_body(&$item,$attach = false) { $a = get_app(); + + + call_hooks('prepare_body_init', $item); + if(array_key_exists('item_flags',$item) && ($item['item_flags'] & ITEM_OBSCURED)) { + $key = get_config('system','prvkey'); + if($item['title']) + $item['title'] = aes_unencapsulate(json_decode($item['title'],true),$key); + if($item['body']) + $item['body'] = aes_unencapsulate(json_decode($item['body'],true),$key); + } + $s = prepare_text($item['body'],$item['mimetype']); $prep_arr = array('item' => $item, 'html' => $s); @@ -992,6 +1003,7 @@ function prepare_body($item,$attach = false) { return $s; } + $arr = json_decode($item['attach'],true); if(count($arr)) { $s .= '<div class="body-attach">'; @@ -1246,7 +1258,7 @@ function feed_salmonlinks($nick) { function get_plink($item) { $a = get_app(); - if (x($item,'plink') && ($item['private'] != 1)) { + if (x($item,'plink') && ($item['item_private'] != 1)) { return array( 'href' => $item['plink'], 'title' => t('link to source'), diff --git a/include/zot.php b/include/zot.php index 7369de80a..437ec0c86 100644 --- a/include/zot.php +++ b/include/zot.php @@ -770,8 +770,6 @@ function zot_fetch($arr) { function zot_import($arr) { -// logger('zot_import: ' . print_r($arr,true), LOGGER_DATA); - $data = json_decode($arr['body'],true); if(! $data) { @@ -783,8 +781,6 @@ function zot_import($arr) { $data = json_decode(aes_unencapsulate($data,get_config('system','prvkey')),true); } - logger('zot_import: data' . print_r($data,true), LOGGER_DATA); - $incoming = $data['pickup']; $return = array(); @@ -837,10 +833,12 @@ function zot_import($arr) { if($i['message']) { if($i['message']['type'] === 'activity') { $arr = get_item_elements($i['message']); + if(! array_key_exists('created',$arr)) { logger('Activity rejected: probable failure to lookup author/owner. ' . print_r($i['message'],true)); continue; } + logger('Activity received: ' . print_r($arr,true), LOGGER_DATA); logger('Activity recipients: ' . print_r($deliveries,true), LOGGER_DATA); @@ -1022,6 +1020,18 @@ function process_delivery($sender,$arr,$deliveries,$relay) { $perm = (($arr['mid'] == $arr['parent_mid']) ? 'send_stream' : 'post_comments'); + // This is our own post, possibly coming from a channel clone + + if($arr['owner_xchan'] == $d['hash']) { + $arr['item_flags'] = $arr['item_flags'] | ITEM_WALL; + } + else { + // clear the wall flag if it is set + if($arr['item_flags'] & ITEM_WALL) { + $arr['item_flags'] = ($arr['item_flags'] ^ ITEM_WALL); + } + } + if((! perm_is_allowed($channel['channel_id'],$sender['hash'],$perm)) && (! $tag_delivery)) { logger("permission denied for delivery {$channel['channel_id']}"); $result[] = array($d['hash'],'permission denied',$channel['channel_name'] . ' <' . $channel['channel_address'] . '@' . get_app()->get_hostname() . '>'); @@ -1565,7 +1575,7 @@ function build_sync_packet($uid = 0, $packet = null) { // don't pass these elements, they should not be synchronised - $disallowed = array('channel_id','channel_account_id','channel_primary','channel_prvkey'); + $disallowed = array('channel_id','channel_account_id','channel_primary','channel_prvkey','channel_address'); if(in_array($k,$disallowed)) continue; @@ -1605,7 +1615,8 @@ function build_sync_packet($uid = 0, $packet = null) { function process_channel_sync_delivery($sender,$arr,$deliveries) { -// FIXME - this will sync red structures. Eventually we need to make this application agnostic. +// FIXME - this will sync red structures (channel, pconfig and abook). Eventually we need to make this application agnostic. +// TODO: missing group membership changes $result = array(); @@ -1635,7 +1646,7 @@ function process_channel_sync_delivery($sender,$arr,$deliveries) { } if(array_key_exists('channel',$arr) && is_array($arr['channel']) && count($arr['channel'])) { - $disallowed = array('channel_id','channel_account_id','channel_primary','channel_prvkey'); + $disallowed = array('channel_id','channel_account_id','channel_primary','channel_prvkey', 'channel_address'); $clean = array(); foreach($arr['channel'] as $k => $v) { |