aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
Diffstat (limited to 'include')
-rw-r--r--include/apps.php5
-rw-r--r--include/bbcode.php4
-rwxr-xr-xinclude/items.php1
-rw-r--r--include/zot.php54
4 files changed, 56 insertions, 8 deletions
diff --git a/include/apps.php b/include/apps.php
index 91012b0ef..cd0c2984e 100644
--- a/include/apps.php
+++ b/include/apps.php
@@ -11,7 +11,10 @@ require_once('include/identity.php');
function get_system_apps() {
$ret = array();
- $files = glob('app/*.apd');
+ if(is_dir('apps'))
+ $files = glob('apps/*.apd');
+ else
+ $files = glob('app/*.apd');
if($files) {
foreach($files as $f) {
$x = parse_app_description($f);
diff --git a/include/bbcode.php b/include/bbcode.php
index d7a5ac457..6b7217f91 100644
--- a/include/bbcode.php
+++ b/include/bbcode.php
@@ -162,7 +162,7 @@ function bb_parse_app($match) {
function bb_parse_element($match) {
$j = json_decode(base64url_decode($match[1]),true);
if($j) {
- $o = EOL . '<a href="' . z_root() . '" foo="baz" onclick="importElement(\'' . $match[1] . '\'); return false;" >' . t('Install design element: ') . $j['pagetitle'] . '</a>' . EOL;
+ $o = EOL . '<a href="#" onclick="importElement(\'' . $match[1] . '\'); return false;" >' . t('Install design element: ') . $j['pagetitle'] . '</a>' . EOL;
}
return $o;
}
@@ -823,7 +823,7 @@ function bbcode($Text,$preserve_nl = false, $tryoembed = true) {
// fix any escaped ampersands that may have been converted into links
$Text = preg_replace("/\<(.*?)(src|href)=(.*?)\&amp\;(.*?)\>/ism",'<$1$2=$3&$4>',$Text);
- $Text = preg_replace("/\<(.*?)(src|href)=\"[^hfm](.*?)\>/ism",'<$1$2="">',$Text);
+ $Text = preg_replace("/\<(.*?)(src|href)=\"[^hfm#](.*?)\>/ism",'<$1$2="">',$Text);
call_hooks('bbcode',$Text);
diff --git a/include/items.php b/include/items.php
index a930a7c3e..e64e91dc3 100755
--- a/include/items.php
+++ b/include/items.php
@@ -2072,6 +2072,7 @@ function item_store($arr,$allow_exec = false) {
return $ret;
}
+
// is the new message multi-level threaded?
// even though we don't support it now, preserve the info
// and re-attach to the conversation parent.
diff --git a/include/zot.php b/include/zot.php
index 3d59f00f3..1706153dd 100644
--- a/include/zot.php
+++ b/include/zot.php
@@ -1402,6 +1402,7 @@ function process_delivery($sender,$arr,$deliveries,$relay,$public = false) {
$perm = (($arr['mid'] == $arr['parent_mid']) ? 'send_stream' : 'post_comments');
+
// This is our own post, possibly coming from a channel clone
if($arr['owner_xchan'] == $d['hash']) {
@@ -1419,7 +1420,44 @@ function process_delivery($sender,$arr,$deliveries,$relay,$public = false) {
$result[] = array($d['hash'],'permission denied',$channel['channel_name'] . ' <' . $channel['channel_address'] . '@' . get_app()->get_hostname() . '>',$arr['mid']);
continue;
}
-
+
+ if($arr['mid'] != $arr['parent_mid']) {
+
+ // check source route.
+ // We are only going to accept comments from this sender if the comment has the same route as the top-level-post,
+ // this is so that permissions mismatches between senders apply to the entire conversation
+ // As a side effect we will also do a preliminary check that we have the top-level-post, otherwise
+ // processing it is pointless.
+
+ $r = q("select route from item where mid = '%s' and uid = %d limit 1",
+ dbesc($arr['parent_mid']),
+ intval($channel['channel_id'])
+ );
+ if(! $r) {
+ $result[] = array($d['hash'],'comment parent not found',$channel['channel_name'] . ' <' . $channel['channel_address'] . '@' . get_app()->get_hostname() . '>',$arr['mid']);
+ continue;
+ }
+ if($relay) {
+ // reset the route in case it travelled a great distance upstream
+ // use our parent's route so when we go back downstream we'll match
+ // with whatever route our parent has.
+ $arr['route'] = $r[0]['route'];
+ }
+ else {
+
+ // going downstream check that we have the same upstream provider that
+ // sent it to us originally. Ignore it if it came from another source
+ // (with potentially different permissions)
+
+ $current_route = (($arr['route']) ? $arr['route'] . ',' : '') . $sender['hash'];
+
+ if($r[0]['route'] != $current_route) {
+ $result[] = array($d['hash'],'comment route mismatch',$channel['channel_name'] . ' <' . $channel['channel_address'] . '@' . get_app()->get_hostname() . '>',$arr['mid']);
+ continue;
+ }
+ }
+ }
+
if($arr['item_restrict'] & ITEM_DELETED) {
// remove_community_tag is a no-op if this isn't a community tag activity
@@ -1446,9 +1484,13 @@ function process_delivery($sender,$arr,$deliveries,$relay,$public = false) {
$arr['id'] = $r[0]['id'];
$arr['uid'] = $channel['channel_id'];
update_imported_item($sender,$arr,$channel['channel_id']);
- }
- $result[] = array($d['hash'],'updated',$channel['channel_name'] . ' <' . $channel['channel_address'] . '@' . get_app()->get_hostname() . '>',$arr['mid']);
- $item_id = $r[0]['id'];
+ $result[] = array($d['hash'],'updated',$channel['channel_name'] . ' <' . $channel['channel_address'] . '@' . get_app()->get_hostname() . '>',$arr['mid']);
+ $item_id = $r[0]['id'];
+ }
+ else {
+ $result[] = array($d['hash'],'update ignored',$channel['channel_name'] . ' <' . $channel['channel_address'] . '@' . get_app()->get_hostname() . '>',$arr['mid']);
+ continue;
+ }
}
else {
$arr['aid'] = $channel['channel_account_id'];
@@ -1459,7 +1501,9 @@ function process_delivery($sender,$arr,$deliveries,$relay,$public = false) {
$item_id = $item_result['item_id'];
$parr = array('item_id' => $item_id,'item' => $arr,'sender' => $sender,'channel' => $channel);
call_hooks('activity_received',$parr);
- add_source_route($item_id,$sender['hash']);
+ // don't add a source route if it's a relay or later recipients will get a route mismatch
+ if(! $relay)
+ add_source_route($item_id,$sender['hash']);
}
$result[] = array($d['hash'],(($item_id) ? 'posted' : 'storage failed:' . $item_result['message']),$channel['channel_name'] . ' <' . $channel['channel_address'] . '@' . get_app()->get_hostname() . '>',$arr['mid']);
}