aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
Diffstat (limited to 'include')
-rw-r--r--include/attach.php31
-rw-r--r--include/items.php18
-rw-r--r--include/security.php1
3 files changed, 30 insertions, 20 deletions
diff --git a/include/attach.php b/include/attach.php
index 1de5f5a67..ead5a8e06 100644
--- a/include/attach.php
+++ b/include/attach.php
@@ -254,7 +254,7 @@ function attach_list_files($channel_id, $observer, $hash = '', $filename = '', $
* @param int $rev (optional) Revision default 0
* @return array
*/
-function attach_by_hash($hash, $observer_hash, $rev = 0) {
+function attach_by_hash($hash, $observer_hash, $rev = 0, $token = EMPTY_STR) {
$ret = array('success' => false);
@@ -274,7 +274,7 @@ function attach_by_hash($hash, $observer_hash, $rev = 0) {
return $ret;
}
- if(! attach_can_view($r[0]['uid'], $observer_hash, $hash)) {
+ if(! attach_can_view($r[0]['uid'], $observer_hash, $hash, $token)) {
$ret['message'] = t('Permission denied.');
return $ret;
}
@@ -311,7 +311,7 @@ function attach_by_hash($hash, $observer_hash, $rev = 0) {
* @param string $observer_hash
* @return array
*/
-function attach_by_id($id, $observer_hash) {
+function attach_by_id($id, $observer_hash, $token = EMPTY_STR) {
$ret = array('success' => false);
@@ -325,7 +325,7 @@ function attach_by_id($id, $observer_hash) {
return $ret;
}
- if(! attach_can_view($r[0]['uid'], $observer_hash, $r[0]['hash'])) {
+ if(! attach_can_view($r[0]['uid'], $observer_hash, $r[0]['hash'], $token)) {
$ret['message'] = t('Permission denied.');
return $ret;
}
@@ -340,17 +340,16 @@ function attach_by_id($id, $observer_hash) {
function attach_can_view($uid, $ob_hash, $resource, $token = EMPTY_STR) {
- $sql_extra = permissions_sql($uid, $ob_hash, '', $token);
- $hash = $resource;
-
if (!$token) {
if(! perm_is_allowed($uid, $ob_hash, 'view_storage')) {
return false;
}
}
+ $sql_extra = permissions_sql($uid, $ob_hash, '', $token);
+
$r = q("select folder from attach where hash = '%s' and uid = %d $sql_extra",
- dbesc($hash),
+ dbesc($resource),
intval($uid)
);
@@ -373,24 +372,22 @@ function attach_can_view($uid, $ob_hash, $resource, $token = EMPTY_STR) {
function attach_can_view_folder($uid, $ob_hash, $folder_hash, $token = EMPTY_STR) {
- $sql_extra = permissions_sql($uid, $ob_hash, '', $token);
- $hash = $folder_hash;
-
if(!$folder_hash && !$token) {
return perm_is_allowed($uid, $ob_hash, 'view_storage');
}
+ $sql_extra = permissions_sql($uid, $ob_hash, '', $token);
do {
$r = q("select folder from attach where hash = '%s' and uid = %d $sql_extra",
- dbesc($hash),
+ dbesc($folder_hash),
intval($uid)
);
if(! $r)
return false;
- $hash = $r[0]['folder'];
- } while($hash);
+ $folder_hash = $r[0]['folder'];
+ } while($folder_hash);
return true;
}
@@ -410,7 +407,7 @@ function attach_can_view_folder($uid, $ob_hash, $folder_hash, $token = EMPTY_STR
* * \e string \b message (optional) only when success is false
* * \e array \b data array of attach DB entry without data component
*/
-function attach_by_hash_nodata($hash, $observer_hash, $rev = 0) {
+function attach_by_hash_nodata($hash, $observer_hash, $rev = 0, $token = EMPTY_STR) {
$ret = array('success' => false);
@@ -435,7 +432,7 @@ function attach_by_hash_nodata($hash, $observer_hash, $rev = 0) {
return $ret;
}
- $sql_extra = permissions_sql($r[0]['uid'], $observer_hash);
+ $sql_extra = permissions_sql($r[0]['uid'], $observer_hash, '', $token);
// Now we'll see if we can access the attachment
@@ -450,7 +447,7 @@ function attach_by_hash_nodata($hash, $observer_hash, $rev = 0) {
}
if($r[0]['folder']) {
- $x = attach_can_view_folder($r[0]['uid'], $observer_hash, $r[0]['folder']);
+ $x = attach_can_view_folder($r[0]['uid'], $observer_hash, $r[0]['folder'], $token);
if(! $x) {
$ret['message'] = t('Permission denied.');
return $ret;
diff --git a/include/items.php b/include/items.php
index a74fe8b50..c6aeaa0ed 100644
--- a/include/items.php
+++ b/include/items.php
@@ -242,9 +242,21 @@ function comments_are_now_closed($item) {
}
function item_normal() {
- return " and item.item_hidden = 0 and item.item_type = 0 and item.item_deleted = 0
- and item.item_unpublished = 0 and item.item_delayed = 0 and item.item_pending_remove = 0
- and item.item_blocked = 0 ";
+ $profile_uid = App::$profile['profile_uid'] ?? App::$profile_uid ?? null;
+ $uid = local_channel();
+ $is_owner = ($uid && intval($profile_uid) === $uid);
+
+ $sql = " and item.item_hidden = 0 and item.item_type = 0 and item.item_deleted = 0
+ and item.item_unpublished = 0 and item.item_pending_remove = 0";
+
+ if ($is_owner) {
+ $sql .= " and item.item_blocked IN (0, " . intval(ITEM_MODERATED) . ") and item.item_delayed IN (0, 1) ";
+ }
+ else {
+ $sql .= " and item.item_blocked = 0 and item.item_delayed = 0 ";
+ }
+
+ return $sql;
}
function item_normal_search() {
diff --git a/include/security.php b/include/security.php
index 539e5f5b5..5ea6f13ef 100644
--- a/include/security.php
+++ b/include/security.php
@@ -326,6 +326,7 @@ function change_channel($change_channel) {
* @param int $owner_id
* @param bool $remote_observer (optional) use current observer if unset
* @param $table (optional)
+ * @param $token (optional)
*
* @return string additional SQL where statement
*/