aboutsummaryrefslogtreecommitdiffstats
path: root/include/security.php
Commit message (Collapse)AuthorAgeFilesLines
* This checkin should make all permission modes work correctly with atokens ↵redmatrix2016-08-011-1/+73
| | | | (they should be able to post content if allowed to). It also removes the strict linkage between permissions and connections so any individual permission can be set for any xchan; even those for which you have no connections.
* make guest access tokens work with PERMS_NETWORK, PERMS_SITE, PERMS_PENDING, ↵redmatrix2016-07-311-0/+28
| | | | and PERMS_CONTACTS; or everything but PERMS_SPECIFIC. PERMS_SITE could be contentious, but we're currently denying them as they are a guest and don't actually have a channel on this site. We can't easily make PERMS_SPECIFIC work without providing an abook entry for the guest since we would need to set specific permissions for the guest login, but unfortunately this could be the most desirable setting to use in many cases. There is also an update of hmessages.po in this commit.
* Merge branch 'dev' into permsredmatrix2016-07-201-14/+15
|\
| * sort out some of the authentication mess - with luck this may fix the DAV ↵redmatrix2016-07-201-14/+15
| | | | | | | | auth issue which I simply could not duplicate or find a reason for.
* | Merge branch 'dev' into permsredmatrix2016-07-171-0/+38
|\|
| * make the xchan_hash for the access token location independentredmatrix2016-07-141-12/+15
| |
| * more ZAT workredmatrix2016-07-141-0/+2
| |
| * first cut at zot access tokensredmatrix2016-07-141-0/+33
| |
* | more work on permsredmatrix2016-07-121-15/+26
|/
* use the get_hostname function rather than parse the urlredmatrix2016-07-111-1/+1
|
* create change_channel hookredmatrix2016-07-111-0/+4
|
* create miniApp to convert existing settings files to the static App classredmatrix2016-03-311-11/+4
|
* static Appredmatrix2016-03-311-16/+16
|
* deprecate $a->get_baseurl()redmatrix2016-03-301-3/+3
|
* some minor cleanupsredmatrix2016-03-101-1/+1
|
* issue #216 - calendar sharingredmatrix2016-02-241-7/+11
|
* add oembed provider for photosredmatrix2016-01-311-1/+1
|
* various issues from the forumsredmatrix2016-01-171-10/+13
|
* some minor cleanup - change the default of the discover tab (public stream ↵redmatrix2015-12-101-10/+8
| | | | access)
* add one more level of parentheses to ensure operator precedence is correctly ↵redmatrix2015-09-281-2/+2
| | | | evaluated
* check public scopes against visitor in item_permissions_sql()redmatrix2015-09-281-2/+38
|
* Merge https://github.com/redmatrix/redmatrix into pending_mergeredmatrix2015-09-071-2/+2
|\ | | | | | | | | Conflicts: util/messages.po
| * PRIVACY: item_private seems to have been removed from permissions_sql ↵redmatrix2015-09-071-2/+2
| | | | | | | | checking with an observer.
* | Merge branch 'master' of https://github.com/redmatrix/redmatrixredmatrix2015-07-141-0/+6
|\|
| * stream_perms_xchans() set to empty quoted string when no results rather than ↵redmatrix2015-07-141-0/+6
| | | | | | | | return an empty string
* | DB changes for some channel flagsredmatrix2015-06-151-14/+10
|/
* PRIVACY: possible privacy leakage under a defined set of circumstancesredmatrix2015-05-201-5/+5
|
* improve performance of the zotfeed queriesfriendica2015-03-231-2/+4
|
* Some cleanups and documentation.Klaus Weidenbach2015-03-041-22/+14
| | | | | | | Fixed some wrong variable names. Initialized some variables before using them. Removed some checks for STATUSNET_PRIVACY_COMPATIBILITY in include/security.php as it does not seem to be defined anywhere.
* remote_user => remote_channelfriendica2015-01-281-2/+2
|
* local_user => local_channelfriendica2015-01-281-9/+9
|
* Merge https://github.com/friendica/red into pending_mergefriendica2014-12-101-40/+77
|\
| * Some Doxygen comments and small cleanups.Klaus Weidenbach2014-12-071-40/+77
| |
* | block adult channels from inclusion in public content feedsfriendica2014-12-101-2/+2
|/
* PostgreSQL support initial commitHabeas Codice2014-11-131-14/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There were 11 main types of changes: - UPDATE's and DELETE's sometimes had LIMIT 1 at the end of them. This is not only non-compliant but it would certainly not do what whoever wrote it thought it would. It is likely this mistake was just copied from Friendica. All of these instances, the LIMIT 1 was simply removed. - Bitwise operations (and even some non-zero int checks) erroneously rely on MySQL implicit integer-boolean conversion in the WHERE clauses. This is non-compliant (and bad programming practice to boot). Proper explicit boolean conversions were added. New queries should use proper conventions. - MySQL has a different operator for bitwise XOR than postgres. Rather than add yet another dba_ func, I converted them to "& ~" ("AND NOT") when turning off, and "|" ("OR") when turning on. There were no true toggles (XOR). New queries should refrain from using XOR when not necessary. - There are several fields which the schema has marked as NOT NULL, but the inserts don't specify them. The reason this works is because mysql totally ignores the constraint and adds an empty text default automatically. Again, non-compliant, obviously. In these cases a default of empty text was added. - Several statements rely on a non-standard MySQL feature (http://dev.mysql.com/doc/refman/5.5/en/group-by-handling.html). These queries can all be rewritten to be standards compliant. Interestingly enough, the newly rewritten standards compliant queries run a zillion times faster, even on MySQL. - A couple of function/operator name translations were needed (RAND/RANDOM, GROUP_CONCAT/STRING_AGG, UTC_NOW, REGEXP/~, ^/#) -- assist functions added in the dba_ - INTERVALs: postgres requires quotes around the value, mysql requires that there are not quotes around the value -- assist functions added in the dba_ - NULL_DATE's -- Postgres does not allow the invalid date '0000-00-00 00:00:00' (there is no such thing as year 0 or month 0 or day 0). We use '0001-01-01 00:00:00' for postgres. Conversions are handled in Zot/item packets automagically by quoting all dates with dbescdate(). - char(##) specifications in the schema creates fields with blank spaces that aren't trimmed in the code. MySQL apparently treats char(##) as varchar(##), again, non-compliant. Since postgres works better with text fields anyway, this ball of bugs was simply side-stepped by using 'text' datatype for all text fields in the postgres schema. varchar was used in a couple of places where it actually seemed appropriate (size constraint), but without rigorously vetting that all of the PHP code actually validates data, new bugs might come out from under the rug. - postgres doesn't store nul bytes and a few other non-printables in text fields, even when quoted. bytea fields were used when storing binary data (photo.data, attach.data). A new dbescbin() function was added to handle this transparently. - postgres does not support LIMIT #,# syntax. All databases support LIMIT # OFFSET # syntax. Statements were updated to be standard. These changes require corresponding changes in the coding standards. Please review those before adding any code going forward. Still on my TODO list: - remove quotes from non-reserved identifiers and make reserved identifiers use dba func for quoting - Rewrite search queries for better results (both MySQL and Postgres)
* Very, very cautiously let a developer switch to the sys chan ifThomas Willingham2014-09-151-0/+13
| | | | they're also an administrator.
* Bugger, revert - not only a dodgy cut and paste between terminals, butThomas Willingham2014-09-151-14/+0
| | | | also pushed to the wrong repo
* Very, very cautiously, let a developer switch to the sys chan, ifThomas Willingham2014-09-151-0/+14
| | | | they're also an admin.
* bad redirectsfriendica2014-09-111-0/+6
|
* provide os_mkdir to workaround permission issues with php mkdirfriendica2014-07-161-1/+1
|
* Implements a new permission level PERMS_PENDINGAlexandre Hannud Abdo2014-06-191-8/+13
| | | | | | | | | | | | | | | | With this a user can allow some action to any user which connects to them, even before they've connected back. Ref. https://mobiliza.org.br/display/478d9e71eaf55748dc646d3990651d6d34cfb7db5c38360538ec730ca3ccf908@zothub.com Also some code cleanup and an alternative logic for handling notifications of permission changes in zot.php. This assumes that private posts are still restricted to people in your addressbook. Regardless of your global permissions, a pending channel won't get private posts, even if the post only has a deny clause not matching the pending channel.
* access control modification functions (item specific - we may need these for ↵friendica2014-06-171-0/+1
| | | | several data types)
* more easter eggsfriendica2014-05-031-0/+6
|
* improve zotfeed for discover channel so it will send updates to posts you've ↵friendica2014-04-171-8/+6
| | | | already received. Incidentally I discovered why we had the meltdown replying to discover channel items the other day - but can't fix it easily.
* Don't count deleted channels when figuring out where to send a user on login.Thomas Willingham2014-04-111-2/+3
|
* more work on firehosefriendica2014-03-261-4/+6
|
* add admin/channelsfriendica2014-03-261-3/+3
|
* allow zotfeed to create a firehose of a site.friendica2014-03-261-6/+8
|
* This should resolve the dav authentication loop (correctly)friendica2014-02-221-2/+5
|
* fix login weirdness for accounts that need to be approvedfriendica2014-02-201-0/+11
|