From 1fd65c934da1efcbc3e44c5ec1c5112859ba50f9 Mon Sep 17 00:00:00 2001
From: redmatrix <git@macgirvin.com>
Date: Wed, 13 Jul 2016 19:53:28 -0700
Subject: lots more permission work

---
 Zotlabs/Module/Acl.php      | 59 +++++++++++++++++++++++++++++++--------------
 Zotlabs/Module/Connedit.php |  2 +-
 Zotlabs/Module/Probe.php    |  2 --
 Zotlabs/Zot/Finger.php      |  2 +-
 include/permissions.php     |  9 +++++--
 5 files changed, 50 insertions(+), 24 deletions(-)

diff --git a/Zotlabs/Module/Acl.php b/Zotlabs/Module/Acl.php
index d7516af33..0e02a2f66 100644
--- a/Zotlabs/Module/Acl.php
+++ b/Zotlabs/Module/Acl.php
@@ -58,7 +58,23 @@ class Acl extends \Zotlabs\Web\Controller {
 	
 		if( (! local_channel()) && (! ($type == 'x' || $type == 'c')))
 			killme();
-	
+
+		$permitted = [];
+
+		if(in_array($type, [ 'm', 'a', 'c' ])) {
+
+			// These queries require permission checking. We'll create a simple array of xchan_hash for those with
+			// the requisite permissions which we can check against. 
+
+			$x = q("select xchan from abconfig where chan = %d and cat = 'their_perms' and k = '%s' and v = 1",
+				intval(local_channel()),
+				dbesc(($type === 'm') ? 'post_mail' : 'tag_deliver')
+			);
+
+			$permitted = ids_to_array($x,'xchan');
+		}
+
+
 		if($search) {
 			$sql_extra = " AND `name` LIKE " . protect_sprintf( "'%" . dbesc($search) . "%'" ) . " ";
 			$sql_extra2 = "AND ( xchan_name LIKE " . protect_sprintf( "'%" . dbesc($search) . "%'" ) . " OR xchan_addr LIKE " . protect_sprintf( "'%" . dbesc($search) . ((strpos($search,'@') === false) ? "%@%'"  : "%'")) . ") ";
@@ -87,13 +103,13 @@ class Acl extends \Zotlabs\Web\Controller {
 		
 		if($type == '' || $type == 'g') {
 	
-			$r = q("SELECT `groups`.`id`, `groups`.`hash`, `groups`.`gname`
-					FROM `groups`,`group_member` 
-					WHERE `groups`.`deleted` = 0 AND `groups`.`uid` = %d 
-					AND `group_member`.`gid`=`groups`.`id`
+			$r = q("SELECT groups.id, groups.hash, groups.gname
+					FROM groups,group_member 
+					WHERE groups.deleted = 0 AND groups.uid = %d 
+					AND group_member.gid=groups.id
 					$sql_extra
-					GROUP BY `groups`.`id`
-					ORDER BY `groups`.`gname` 
+					GROUP BY groups.id
+					ORDER BY groups.gname 
 					LIMIT %d OFFSET %d",
 				intval(local_channel()),
 				intval($count),
@@ -139,7 +155,7 @@ class Acl extends \Zotlabs\Web\Controller {
 	
 			}
 			else { // Visitors
-				$r = q("SELECT xchan_hash as id, xchan_hash as hash, xchan_name as name, xchan_photo_s as micro, xchan_url as url, xchan_addr as nick, 0 as abook_their_perms, xchan_pubforum, 0 as abook_flags, 0 as abook_self
+				$r = q("SELECT xchan_hash as id, xchan_hash as hash, xchan_name as name, xchan_photo_s as micro, xchan_url as url, xchan_addr as nick, 0 as abook_their_perms, 0 as abook_flags, 0 as abook_self
 					FROM xchan left join xlink on xlink_link = xchan_hash
 					WHERE xlink_xchan  = '%s' AND xchan_deleted = 0 $sql_extra2 order by $order_extra2 xchan_name asc" ,
 					dbesc(get_observer_hash())
@@ -155,7 +171,7 @@ class Acl extends \Zotlabs\Web\Controller {
 							$known_hashes[] = "'".$rr['hash']."'";
 					$known_hashes_sql = 'AND xchan_hash not in ('.join(',',$known_hashes).')';
 	
-					$r2 = q("SELECT abook_id as id, xchan_hash as hash, xchan_name as name, xchan_photo_s as micro, xchan_url as url, xchan_addr as nick, abook_their_perms, xchan_pubforum, abook_flags, abook_self 
+					$r2 = q("SELECT abook_id as id, xchan_hash as hash, xchan_name as name, xchan_photo_s as micro, xchan_url as url, xchan_addr as nick, abook_their_perms, abook_flags, abook_self 
 						FROM abook left join xchan on abook_xchan = xchan_hash 
 						WHERE abook_channel IN ($extra_channels_sql) $known_hashes_sql AND abook_blocked = 0 and abook_pending = 0 and abook_hidden = 0 and xchan_deleted = 0 $sql_extra2 order by $order_extra2 xchan_name asc");
 					if($r2)
@@ -184,7 +200,7 @@ class Acl extends \Zotlabs\Web\Controller {
 			}
 			if(intval(get_config('system','taganyone')) || intval(get_pconfig(local_channel(),'system','taganyone'))) {
 				if((count($r) < 100) && $type == 'c') {
-					$r2 = q("SELECT substr(xchan_hash,1,18) as id, xchan_hash as hash, xchan_name as name, xchan_photo_s as micro, xchan_url as url, xchan_addr as nick, 0 as abook_their_perms, 0 as abook_flags, 0 as abook_self, xchan_pubforum 
+					$r2 = q("SELECT substr(xchan_hash,1,18) as id, xchan_hash as hash, xchan_name as name, xchan_photo_s as micro, xchan_url as url, xchan_addr as nick, 0 as abook_their_perms, 0 as abook_flags, 0 as abook_self 
 						FROM xchan 
 						WHERE xchan_deleted = 0 $sql_extra2 order by $order_extra2 xchan_name asc" 
 					);
@@ -194,20 +210,27 @@ class Acl extends \Zotlabs\Web\Controller {
 			}
 		}
 		elseif($type == 'm') {
-	
-			$r = q("SELECT xchan_hash as id, xchan_name as name, xchan_addr as nick, xchan_photo_s as micro, xchan_url as url 
+			$r = array();
+			$z = q("SELECT xchan_hash as id, xchan_name as name, xchan_addr as nick, xchan_photo_s as micro, xchan_url as url 
 				FROM abook left join xchan on abook_xchan = xchan_hash
-				WHERE abook_channel = %d and ( (abook_their_perms = null) or (abook_their_perms & %d )>0)
+				WHERE abook_channel = %d 
 				and xchan_deleted = 0
 				$sql_extra3
-				ORDER BY `xchan_name` ASC ",
-				intval(local_channel()),
-				intval(PERMS_W_MAIL)
+				ORDER BY xchan_name ASC ",
+				intval(local_channel())
 			);
+			if($z) {
+				foreach($z as $zz) {
+					if(in_array($zz['id'],$permitted)) {
+						$r[] = $zz;
+					}
+				}
+			}
+			
 		}
 		elseif($type == 'a') {
 	
-			$r = q("SELECT abook_id as id, xchan_name as name, xchan_hash as hash, xchan_addr as nick, xchan_photo_s as micro, xchan_network as network, xchan_url as url, xchan_addr as attag , xchan_pubforum, abook_their_perms FROM abook left join xchan on abook_xchan = xchan_hash
+			$r = q("SELECT abook_id as id, xchan_name as name, xchan_hash as hash, xchan_addr as nick, xchan_photo_s as micro, xchan_network as network, xchan_url as url, xchan_addr as attag , abook_their_perms FROM abook left join xchan on abook_xchan = xchan_hash
 				WHERE abook_channel = %d
 				and xchan_deleted = 0
 				$sql_extra3
@@ -247,7 +270,7 @@ class Acl extends \Zotlabs\Web\Controller {
 				if(strpos($g['hash'],'/') && $type != 'a')
 					continue;
 	
-				if(($g['xchan_pubforum']) && $type == 'c' && (! $noforums)) {
+				if(in_array($g['hash'],$permitted) && $type == 'c' && (! $noforums)) {
 					$contacts[] = array(
 						"type"     => "c",
 						"photo"    => "images/twopeople.png",
diff --git a/Zotlabs/Module/Connedit.php b/Zotlabs/Module/Connedit.php
index 8aecfca4c..f9b1336a8 100644
--- a/Zotlabs/Module/Connedit.php
+++ b/Zotlabs/Module/Connedit.php
@@ -133,7 +133,7 @@ class Connedit extends \Zotlabs\Web\Controller {
 
 		if($all_perms) {
 			foreach($all_perms as $perm => $desc) {
-				if(in_array('perms_' . $perm, $_POST)) {
+				if(array_key_exists('perms_' . $perm, $_POST)) {
 					set_abconfig($channel['channel_id'],$orig_record[0]['abook_xchan'],'my_perms',$perm,
 						intval($_POST['perms_' . $perm]));
 					$abook_my_perms ++;
diff --git a/Zotlabs/Module/Probe.php b/Zotlabs/Module/Probe.php
index dda792131..7fc0e8ff5 100644
--- a/Zotlabs/Module/Probe.php
+++ b/Zotlabs/Module/Probe.php
@@ -23,8 +23,6 @@ class Probe extends \Zotlabs\Web\Controller {
 			
 			$j = \Zotlabs\Zot\Finger::run($addr,$channel,false);
 
-			//			$res = zot_finger($addr,$channel,false);
-
 			$o .= '<pre>';
 			if(! $j['success']) {
 				$o .= sprintf( t('Fetching URL returns error: %1$s'),$res['error'] . "\r\n\r\n");
diff --git a/Zotlabs/Zot/Finger.php b/Zotlabs/Zot/Finger.php
index 229fda8bd..9d373b2e6 100644
--- a/Zotlabs/Zot/Finger.php
+++ b/Zotlabs/Zot/Finger.php
@@ -28,7 +28,7 @@ class Finger {
 
 		if (strpos($webbie,'@') === false) {
 			$address = $webbie;
-			$host = App::get_hostname();
+			$host = \App::get_hostname();
 		} else {
 			$address = substr($webbie,0,strpos($webbie,'@'));
 			$host = substr($webbie,strpos($webbie,'@')+1);
diff --git a/include/permissions.php b/include/permissions.php
index 5527d0afc..bc3cfdd2a 100644
--- a/include/permissions.php
+++ b/include/permissions.php
@@ -239,8 +239,13 @@ function get_all_perms($uid, $observer_xchan, $internal_use = true) {
 		// Permission granted to certain channels. Let's see if the observer is one of them
 
 		if($channel_perm & PERMS_SPECIFIC) {
-			if(array_key_exists('my_perms',$abperms) && array_key_exists($perm_name,$abperms['my_perms']) && $abperms['my_perms'][$perm_name]) {
-				$ret[$perm_name] = true;
+			if($abperms) {
+				foreach($abperms as $ab) {
+					if(($ab['cat'] == 'my_perms') && ($ab['k'] == $perm_name)) {
+						$ret[$perm_name] = (intval($ab['v']) ? true : false);
+						break;
+					}
+				}
 				continue;
 			}
 		}
-- 
cgit v1.2.3