diff options
Diffstat (limited to 'include')
-rw-r--r-- | include/attach.php | 31 | ||||
-rw-r--r-- | include/items.php | 18 | ||||
-rw-r--r-- | include/security.php | 1 |
3 files changed, 30 insertions, 20 deletions
diff --git a/include/attach.php b/include/attach.php index 1de5f5a67..ead5a8e06 100644 --- a/include/attach.php +++ b/include/attach.php @@ -254,7 +254,7 @@ function attach_list_files($channel_id, $observer, $hash = '', $filename = '', $ * @param int $rev (optional) Revision default 0 * @return array */ -function attach_by_hash($hash, $observer_hash, $rev = 0) { +function attach_by_hash($hash, $observer_hash, $rev = 0, $token = EMPTY_STR) { $ret = array('success' => false); @@ -274,7 +274,7 @@ function attach_by_hash($hash, $observer_hash, $rev = 0) { return $ret; } - if(! attach_can_view($r[0]['uid'], $observer_hash, $hash)) { + if(! attach_can_view($r[0]['uid'], $observer_hash, $hash, $token)) { $ret['message'] = t('Permission denied.'); return $ret; } @@ -311,7 +311,7 @@ function attach_by_hash($hash, $observer_hash, $rev = 0) { * @param string $observer_hash * @return array */ -function attach_by_id($id, $observer_hash) { +function attach_by_id($id, $observer_hash, $token = EMPTY_STR) { $ret = array('success' => false); @@ -325,7 +325,7 @@ function attach_by_id($id, $observer_hash) { return $ret; } - if(! attach_can_view($r[0]['uid'], $observer_hash, $r[0]['hash'])) { + if(! attach_can_view($r[0]['uid'], $observer_hash, $r[0]['hash'], $token)) { $ret['message'] = t('Permission denied.'); return $ret; } @@ -340,17 +340,16 @@ function attach_by_id($id, $observer_hash) { function attach_can_view($uid, $ob_hash, $resource, $token = EMPTY_STR) { - $sql_extra = permissions_sql($uid, $ob_hash, '', $token); - $hash = $resource; - if (!$token) { if(! perm_is_allowed($uid, $ob_hash, 'view_storage')) { return false; } } + $sql_extra = permissions_sql($uid, $ob_hash, '', $token); + $r = q("select folder from attach where hash = '%s' and uid = %d $sql_extra", - dbesc($hash), + dbesc($resource), intval($uid) ); @@ -373,24 +372,22 @@ function attach_can_view($uid, $ob_hash, $resource, $token = EMPTY_STR) { function attach_can_view_folder($uid, $ob_hash, $folder_hash, $token = EMPTY_STR) { - $sql_extra = permissions_sql($uid, $ob_hash, '', $token); - $hash = $folder_hash; - if(!$folder_hash && !$token) { return perm_is_allowed($uid, $ob_hash, 'view_storage'); } + $sql_extra = permissions_sql($uid, $ob_hash, '', $token); do { $r = q("select folder from attach where hash = '%s' and uid = %d $sql_extra", - dbesc($hash), + dbesc($folder_hash), intval($uid) ); if(! $r) return false; - $hash = $r[0]['folder']; - } while($hash); + $folder_hash = $r[0]['folder']; + } while($folder_hash); return true; } @@ -410,7 +407,7 @@ function attach_can_view_folder($uid, $ob_hash, $folder_hash, $token = EMPTY_STR * * \e string \b message (optional) only when success is false * * \e array \b data array of attach DB entry without data component */ -function attach_by_hash_nodata($hash, $observer_hash, $rev = 0) { +function attach_by_hash_nodata($hash, $observer_hash, $rev = 0, $token = EMPTY_STR) { $ret = array('success' => false); @@ -435,7 +432,7 @@ function attach_by_hash_nodata($hash, $observer_hash, $rev = 0) { return $ret; } - $sql_extra = permissions_sql($r[0]['uid'], $observer_hash); + $sql_extra = permissions_sql($r[0]['uid'], $observer_hash, '', $token); // Now we'll see if we can access the attachment @@ -450,7 +447,7 @@ function attach_by_hash_nodata($hash, $observer_hash, $rev = 0) { } if($r[0]['folder']) { - $x = attach_can_view_folder($r[0]['uid'], $observer_hash, $r[0]['folder']); + $x = attach_can_view_folder($r[0]['uid'], $observer_hash, $r[0]['folder'], $token); if(! $x) { $ret['message'] = t('Permission denied.'); return $ret; diff --git a/include/items.php b/include/items.php index a74fe8b50..c6aeaa0ed 100644 --- a/include/items.php +++ b/include/items.php @@ -242,9 +242,21 @@ function comments_are_now_closed($item) { } function item_normal() { - return " and item.item_hidden = 0 and item.item_type = 0 and item.item_deleted = 0 - and item.item_unpublished = 0 and item.item_delayed = 0 and item.item_pending_remove = 0 - and item.item_blocked = 0 "; + $profile_uid = App::$profile['profile_uid'] ?? App::$profile_uid ?? null; + $uid = local_channel(); + $is_owner = ($uid && intval($profile_uid) === $uid); + + $sql = " and item.item_hidden = 0 and item.item_type = 0 and item.item_deleted = 0 + and item.item_unpublished = 0 and item.item_pending_remove = 0"; + + if ($is_owner) { + $sql .= " and item.item_blocked IN (0, " . intval(ITEM_MODERATED) . ") and item.item_delayed IN (0, 1) "; + } + else { + $sql .= " and item.item_blocked = 0 and item.item_delayed = 0 "; + } + + return $sql; } function item_normal_search() { diff --git a/include/security.php b/include/security.php index 539e5f5b5..5ea6f13ef 100644 --- a/include/security.php +++ b/include/security.php @@ -326,6 +326,7 @@ function change_channel($change_channel) { * @param int $owner_id * @param bool $remote_observer (optional) use current observer if unset * @param $table (optional) + * @param $token (optional) * * @return string additional SQL where statement */ |