aboutsummaryrefslogtreecommitdiffstats
path: root/include/permissions.php
Commit message (Collapse)AuthorAgeFilesLines
* permissions cleanupzotlabs2019-04-051-4/+12
|
* security: perms_pending not evaluated correctlyzotlabs2019-04-051-3/+3
|
* When checking permissions ignore checking site "Block Public" settings in ↵zotlabs2018-07-301-6/+11
| | | | cases where site permissions aren't applicable
* better fix to permisisons.php - just cast to int. That's exactly what we want.zotlabs2018-04-191-4/+1
|
* permissions php error applying bit compare operation on a (presumed) booleanzotlabs2018-04-191-0/+3
|
* remove some obsolete permissions stuffzotlabs2017-04-021-415/+5
|
* change hook for perm_is_allowed while retaining backwards compatibilityzotlabs2017-04-021-3/+4
|
* document that include/permissions is being deprecated but may still be needed.redmatrix2016-08-311-0/+6
|
* This checkin should make all permission modes work correctly with atokens ↵redmatrix2016-08-011-15/+41
| | | | (they should be able to post content if allowed to). It also removes the strict linkage between permissions and connections so any individual permission can be set for any xchan; even those for which you have no connections.
* make guest access tokens work with PERMS_NETWORK, PERMS_SITE, PERMS_PENDING, ↵redmatrix2016-07-311-0/+9
| | | | and PERMS_CONTACTS; or everything but PERMS_SPECIFIC. PERMS_SITE could be contentious, but we're currently denying them as they are a guest and don't actually have a channel on this site. We can't easily make PERMS_SPECIFIC work without providing an abook entry for the guest since we would need to set specific permissions for the guest login, but unfortunately this could be the most desirable setting to use in many cases. There is also an update of hmessages.po in this commit.
* rework perm_is_allowedredmatrix2016-07-131-4/+8
|
* lots more permission workredmatrix2016-07-131-2/+7
|
* change default so we don't have to check for array existence laterredmatrix2016-07-091-1/+1
|
* more permissions workredmatrix2016-07-091-1/+3
|
* more work on permsredmatrix2016-07-091-3/+5
|
* more heavy lifting on xtensible permsredmatrix2016-07-041-233/+244
|
* more heavy lifting on extensible permsredmatrix2016-07-041-13/+16
|
* static Appredmatrix2016-03-311-2/+2
|
* work on implementing account/channel move (as opposed to clone)redmatrix2016-03-091-4/+14
|
* pimp up mod new_channelMario Vavti2016-02-191-4/+4
|
* change view_storage from perms_public to perms_specific in the ↵redmatrix2016-02-031-1/+1
| | | | social_private role
* regression: public forums granting send stream permissions to all connectionsredmatrix2016-01-211-2/+2
|
* the view_photos and post_photos permissions are redundant and are now mapped ↵redmatrix2015-07-191-46/+22
| | | | to view_storage and write_storage
* convert the abook fieldsredmatrix2015-06-141-14/+12
|
* Implement permission checking for OAuth clients using the xperm table. ↵redmatrix2015-05-171-0/+84
| | | | Currently 'all' permissions are applied to OAuth clients which gives them the same rights as the channel owner and full access to API functions as the channel owner. However, individual permissions can now be created. These mirror the permission names from the normal permission table (although it isn't required that they do so). Lack of an xp_perm entry for the specified permission and lack of an 'all' override indicates permission denied.
* use PERMS_SPECIFIC for anything that hasn't been specified. This way there's ↵friendica2015-04-211-24/+24
| | | | nothing that's "only yourself", and let's you add additional permissions at will rather than be forced to accept the defaults or turn on custom permissions just to give a friend delegation rights or the ability to post photos.
* Correcting reported Doxygen syntax warnings.Klaus Weidenbach2015-03-291-14/+14
| | | | | | | Fixed wrong Doxygen syntax and add some of the available FIXME to Doxygen documentation. Updated Doxygen configuration to add also all capital letter tags. Adding some more Doxygen documentation.
* change permission roles for things like channel admin to make them more ↵friendica2015-03-201-27/+27
| | | | easily manually settable from the connections edit page.
* Use grouped select field for role selectionStefan Parviainen2015-01-011-29/+9
|
* change PERMS_CONTACTS to PERMS_SPECIFIC in permission roles so that ↵friendica2014-12-261-53/+53
| | | | individual connections can be revoked instead of this being inherited and un-changeable
* Some Doxygen comments and small cleanups.Klaus Weidenbach2014-12-071-68/+98
|
* minor photo flag issue - and some more whitespace editsfriendica2014-11-191-1/+1
|
* Merge remote-tracking branch 'upstream/master'Habeas Codice2014-11-131-3/+3
|\ | | | | | | | | | | | | | | | | | | | | | | Conflicts: boot.php include/dba/dba_driver.php include/diaspora.php include/follow.php include/session.php include/zot.php mod/photos.php mod/ping.php
| * set channel_w_stream to 0 for forum roleszottel2014-11-101-3/+3
| |
* | PostgreSQL support initial commitHabeas Codice2014-11-131-2/+2
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There were 11 main types of changes: - UPDATE's and DELETE's sometimes had LIMIT 1 at the end of them. This is not only non-compliant but it would certainly not do what whoever wrote it thought it would. It is likely this mistake was just copied from Friendica. All of these instances, the LIMIT 1 was simply removed. - Bitwise operations (and even some non-zero int checks) erroneously rely on MySQL implicit integer-boolean conversion in the WHERE clauses. This is non-compliant (and bad programming practice to boot). Proper explicit boolean conversions were added. New queries should use proper conventions. - MySQL has a different operator for bitwise XOR than postgres. Rather than add yet another dba_ func, I converted them to "& ~" ("AND NOT") when turning off, and "|" ("OR") when turning on. There were no true toggles (XOR). New queries should refrain from using XOR when not necessary. - There are several fields which the schema has marked as NOT NULL, but the inserts don't specify them. The reason this works is because mysql totally ignores the constraint and adds an empty text default automatically. Again, non-compliant, obviously. In these cases a default of empty text was added. - Several statements rely on a non-standard MySQL feature (http://dev.mysql.com/doc/refman/5.5/en/group-by-handling.html). These queries can all be rewritten to be standards compliant. Interestingly enough, the newly rewritten standards compliant queries run a zillion times faster, even on MySQL. - A couple of function/operator name translations were needed (RAND/RANDOM, GROUP_CONCAT/STRING_AGG, UTC_NOW, REGEXP/~, ^/#) -- assist functions added in the dba_ - INTERVALs: postgres requires quotes around the value, mysql requires that there are not quotes around the value -- assist functions added in the dba_ - NULL_DATE's -- Postgres does not allow the invalid date '0000-00-00 00:00:00' (there is no such thing as year 0 or month 0 or day 0). We use '0001-01-01 00:00:00' for postgres. Conversions are handled in Zot/item packets automagically by quoting all dates with dbescdate(). - char(##) specifications in the schema creates fields with blank spaces that aren't trimmed in the code. MySQL apparently treats char(##) as varchar(##), again, non-compliant. Since postgres works better with text fields anyway, this ball of bugs was simply side-stepped by using 'text' datatype for all text fields in the postgres schema. varchar was used in a couple of places where it actually seemed appropriate (size constraint), but without rigorously vetting that all of the PHP code actually validates data, new bugs might come out from under the rug. - postgres doesn't store nul bytes and a few other non-printables in text fields, even when quoted. bytea fields were used when storing binary data (photo.data, attach.data). A new dbescbin() function was added to handle this transparently. - postgres does not support LIMIT #,# syntax. All databases support LIMIT # OFFSET # syntax. Statements were updated to be standard. These changes require corresponding changes in the coding standards. Please review those before adding any code going forward. Still on my TODO list: - remove quotes from non-reserved identifiers and make reserved identifiers use dba func for quoting - Rewrite search queries for better results (both MySQL and Postgres)
* add "repository" permissions role and make sure we have a sane "accept" ↵friendica2014-10-271-2/+45
| | | | default for the custom role.
* put privacy role selector in settings page. Change visibility of various ↵friendica2014-10-261-0/+4
| | | | permissions items accordingly.
* allow custom role permissions and fix site timezone.friendica2014-09-291-0/+5
|
* closing tagfriendica2014-09-191-1/+1
|
* usability tweaksfriendica2014-09-171-0/+9
|
* channel permission rolesfriendica2014-09-171-1/+26
|
* defined several permission roles - these will probably require some review ↵friendica2014-09-171-0/+245
| | | | | | | | | | | | | | and adjustment. social social_restricted social_private forum forum_restricted forum_private feed feed_restricted soapbox
* implement permission roles - the backend should be done except for maybe a ↵friendica2014-09-171-4/+7
| | | | couple of small tweaks. Now we just need to define the rest of the roles and create a chooser for them. Adam started on this some time back but I don't know where that has gone.
* beginning of permission role settingsfriendica2014-08-171-0/+60
|
* Added some missing translation strings. Fixed to scalable for a few font sizes.Jeroen2014-08-141-1/+1
|
* a bit more cleanup and a bug fix or two for the new private post security modelfriendica2014-08-071-9/+9
|
* provide a specific permission for liking profiles (reuse the obsolete ↵friendica2014-07-171-1/+4
| | | | bookmark permission), also remove the unused 'unconnected contacts' view for now.
* add 'block_public' checking to get_all_perms() and perm_is_allowed() so we ↵friendica2014-07-031-0/+12
| | | | have everything related to allowing or denying something in one place. Currently this check is done separately in a huge number of places. Now we can start to remove all the extra checks. A couple of them are still necessary, but most are now redundant.
* Implements a new permission level PERMS_PENDINGAlexandre Hannud Abdo2014-06-191-17/+23
| | | | | | | | | | | | | | | | With this a user can allow some action to any user which connects to them, even before they've connected back. Ref. https://mobiliza.org.br/display/478d9e71eaf55748dc646d3990651d6d34cfb7db5c38360538ec730ca3ccf908@zothub.com Also some code cleanup and an alternative logic for handling notifications of permission changes in zot.php. This assumes that private posts are still restricted to people in your addressbook. Regardless of your global permissions, a pending channel won't get private posts, even if the post only has a deny clause not matching the pending channel.
* Remove automatic bookmarking - it was a bad idea and just leads to menu ↵friendica2014-04-301-1/+1
| | | | clutter. Bookmarks can always be saved manually if desired.