From 63a42480c7eb36bdc8b63b31b2a4d222ba5751cd Mon Sep 17 00:00:00 2001
From: friendica <info@friendica.com>
Date: Mon, 23 Dec 2013 15:13:09 -0800
Subject: add account_level, is_foreigner and is_member functions; convert all
 e2ee user input and prompts to hex to avoid javascipt's lame handling of
 quotes. !!This breaks all prior encrypted posts.!!

---
 boot.php             |  2 +-
 include/bbcode.php   | 11 +++++++----
 include/identity.php | 32 ++++++++++++++++++++++++++++++++
 install/database.sql |  4 +++-
 install/update.php   | 11 ++++++++++-
 js/crypto.js         | 10 +++++-----
 js/main.js           |  9 +++++++++
 mod/chanview.php     | 12 ++++++++----
 mod/post.php         |  5 +++++
 9 files changed, 80 insertions(+), 16 deletions(-)

diff --git a/boot.php b/boot.php
index 7d9075af2..777d927d2 100755
--- a/boot.php
+++ b/boot.php
@@ -46,7 +46,7 @@ define ( 'RED_PLATFORM',            'Red Matrix' );
 define ( 'RED_VERSION',             trim(file_get_contents('version.inc')) . 'R');
 define ( 'ZOT_REVISION',            1     ); 
 
-define ( 'DB_UPDATE_VERSION',       1086  );
+define ( 'DB_UPDATE_VERSION',       1087  );
 
 define ( 'EOL',                    '<br />' . "\r\n"     );
 define ( 'ATOM_TIME',              'Y-m-d\TH:i:s\Z' );
diff --git a/include/bbcode.php b/include/bbcode.php
index 271cace73..6374675f1 100644
--- a/include/bbcode.php
+++ b/include/bbcode.php
@@ -105,21 +105,24 @@ function bb_parse_crypt($match) {
 	$attributes = $match[1];
 
 	$algorithm = "";
+
 	preg_match("/alg='(.*?)'/ism", $attributes, $matches);
 	if ($matches[1] != "")
-		$algorithm = html_entity_decode($matches[1],ENT_QUOTES,'UTF-8');
+		$algorithm = $matches[1];
 
 	preg_match("/alg=\&quot\;(.*?)\&quot\;/ism", $attributes, $matches);
 	if ($matches[1] != "")
-		$algorithm = html_entity_decode($matches[1],ENT_QUOTES,'UTF-8');
+		$algorithm = $matches[1];
 
 	$hint = "";
+
+
 	preg_match("/hint='(.*?)'/ism", $attributes, $matches);
 	if ($matches[1] != "")
-		$hint = html_entity_decode($matches[1],ENT_QUOTES,'UTF-8');
+		$hint = $matches[1];
 	preg_match("/hint=\&quot\;(.*?)\&quot\;/ism", $attributes, $matches);
 	if ($matches[1] != "")
-		$hint = html_entity_decode($matches[1],ENT_QUOTES,'UTF-8');
+		$hint = $matches[1];
 
 	$x = random_string();
 
diff --git a/include/identity.php b/include/identity.php
index be4e4be93..63b05f4bb 100644
--- a/include/identity.php
+++ b/include/identity.php
@@ -1138,3 +1138,35 @@ function get_default_profile_photo($size = 175) {
 			$scheme = 'rainbow_man';
 		return 'images/default_profile_photos/' . $scheme . '/' . $size . '.jpg';
 }
+
+
+/**
+ *
+ * @function is_foreigner($s)
+ *    Test whether a given identity is NOT a member of the Red Matrix
+ * @param string $s;
+ *    xchan_hash of the identity in question
+ *
+ * @returns boolean true or false
+ *
+ */
+
+function is_foreigner($s) {
+	return((strpbrk($s,':@')) ? true : false);
+}
+
+
+/**
+ *
+ * @function is_member($s)
+ *    Test whether a given identity is a member of the Red Matrix
+ * @param string $s;
+ *    xchan_hash of the identity in question
+ *
+ * @returns boolean true or false
+ *
+ */
+
+function is_member($s) {
+	return((is_foreigner($s)) ? false : true);
+}
\ No newline at end of file
diff --git a/install/database.sql b/install/database.sql
index f73460937..cb332c75b 100644
--- a/install/database.sql
+++ b/install/database.sql
@@ -54,6 +54,7 @@ CREATE TABLE IF NOT EXISTS `account` (
   `account_expires` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
   `account_expire_notified` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
   `account_service_class` char(32) NOT NULL DEFAULT '',
+  `account_level` int(10) unsigned NOT NULL DEFAULT 0,
   PRIMARY KEY (`account_id`),
   KEY `account_email` (`account_email`),
   KEY `account_service_class` (`account_service_class`),
@@ -63,7 +64,8 @@ CREATE TABLE IF NOT EXISTS `account` (
   KEY `account_lastlog` (`account_lastlog`),
   KEY `account_expires` (`account_expires`),
   KEY `account_default_channel` (`account_default_channel`),
-  KEY `account_external` (`account_external`)
+  KEY `account_external` (`account_external`),
+  KEY `account_level` (`account_level`)
 ) ENGINE=MyISAM  DEFAULT CHARSET=utf8;
 
 CREATE TABLE IF NOT EXISTS `addon` (
diff --git a/install/update.php b/install/update.php
index 817e4b6bc..c731eab06 100644
--- a/install/update.php
+++ b/install/update.php
@@ -1,6 +1,6 @@
 <?php
 
-define( 'UPDATE_VERSION' , 1086 );
+define( 'UPDATE_VERSION' , 1087 );
 
 /**
  *
@@ -948,3 +948,12 @@ function update_r1085() {
 	return UPDATE_FAILED;
 
 }
+
+function update_r1086() {
+	$r = q("ALTER TABLE `account` ADD `account_level` INT UNSIGNED NOT NULL DEFAULT '0',
+ADD INDEX ( `account_level` )");
+	if($r)
+		return UPDATE_SUCCESS;
+	return UPDATE_FAILED;
+}
+
diff --git a/js/crypto.js b/js/crypto.js
index a144e03ea..2e6402c62 100644
--- a/js/crypto.js
+++ b/js/crypto.js
@@ -43,7 +43,7 @@ function red_encrypt(alg, elem,text) {
 
 	// key and hint need to be localised
 
-	var enc_key = prompt(aStr['passphrase']);
+	var enc_key = bin2hex(prompt(aStr['passphrase']));
 
 	// If you don't provide a key you get rot13, which doesn't need a key
 	// but consequently isn't secure.  
@@ -59,7 +59,7 @@ function red_encrypt(alg, elem,text) {
 			// This is the prompt we're going to use when the receiver tries to open it.
 			// Maybe "Grandma's maiden name" or "our secret place" or something. 
 
-			var enc_hint = prompt(aStr['passhint']);
+			var enc_hint = bin2hex(prompt(aStr['passhint']));
 
 			enc_text = CryptoJS.AES.encrypt(text,enc_key);
 
@@ -72,7 +72,7 @@ function red_encrypt(alg, elem,text) {
 			// This is the prompt we're going to use when the receiver tries to open it.
 			// Maybe "Grandma's maiden name" or "our secret place" or something. 
 
-			var enc_hint = prompt(aStr['passhint']);
+			var enc_hint = bin2hex(prompt(aStr['passhint']));
 
 			enc_text = CryptoJS.Rabbit.encrypt(text,enc_key);
 			encrypted = enc_text.toString();
@@ -84,7 +84,7 @@ function red_encrypt(alg, elem,text) {
 			// This is the prompt we're going to use when the receiver tries to open it.
 			// Maybe "Grandma's maiden name" or "our secret place" or something. 
 
-			var enc_hint = prompt(aStr['passhint']);
+			var enc_hint = bin2hex(prompt(aStr['passhint']));
 
 			enc_text = CryptoJS.TripleDES.encrypt(text,enc_key);
 			encrypted = enc_text.toString();
@@ -135,7 +135,7 @@ function red_decrypt(alg,hint,text,elem) {
 	if(alg == 'rot13' || alg == 'triple-rot13')
 		dec_text = str_rot13(text);
 	else {
-		var enc_key = prompt((hint.length) ? hint : aStr['passphrase']);
+		var enc_key = bin2hex(prompt((hint.length) ? hex2bin(hint) : aStr['passphrase']));
 	}
 
 	if(alg == 'aes256') {
diff --git a/js/main.js b/js/main.js
index 70d11bfd3..c8e9fc9a2 100644
--- a/js/main.js
+++ b/js/main.js
@@ -873,6 +873,15 @@ function updateConvItems(mode,data) {
         return a.join('');  
     }  
 
+	function hex2bin(hex) {
+    	var bytes = [], str;
+
+    	for(var i=0; i< hex.length-1; i+=2)
+        	bytes.push(parseInt(hex.substr(i, 2), 16));
+
+    	return String.fromCharCode.apply(String, bytes);    
+	}
+
 	function groupChangeMember(gid, cid, sec_token) {
 		$('body .fakelink').css('cursor', 'wait');
 		$.get('group/' + gid + '/' + cid + "?t=" + sec_token, function(data) {
diff --git a/mod/chanview.php b/mod/chanview.php
index 55f7e95d6..c4942b938 100644
--- a/mod/chanview.php
+++ b/mod/chanview.php
@@ -78,10 +78,14 @@ function chanview_content(&$a) {
 		return;
 	}
 
-	$url = (($observer) 
-		? z_root() . '/magic?f=&dest=' . $a->poi['xchan_url'] . '&addr=' . $a->poi['xchan_addr'] 
-		: $a->poi['xchan_url']
-	);
+	if(is_foreigner($a->poi['xchan_hash']))
+		$url = $a->poi['xchan_url'];
+	else {
+		$url = (($observer) 
+			? z_root() . '/magic?f=&dest=' . $a->poi['xchan_url'] . '&addr=' . $a->poi['xchan_addr'] 
+			: $a->poi['xchan_url']
+		);
+	}
 
 	// let somebody over-ride the iframed viewport presentation
 
diff --git a/mod/post.php b/mod/post.php
index 7f495140e..965ba09a3 100644
--- a/mod/post.php
+++ b/mod/post.php
@@ -69,6 +69,7 @@ function post_init(&$a) {
  *      "success":1, 
  *      "confirm":"q0Ysovd1u..."
  *      "service_class":(optional)
+ *      "level":(optional)
  *    }
  *
  * 'confirm' in this case is the base64url encoded RSA signature of the concatenation of 'secret' with the
@@ -150,6 +151,7 @@ function post_init(&$a) {
 		$remote = remote_user();
 		$result = null;
 		$remote_service_class = '';
+		$remote_level = 0;
 		$remote_hub = $x[0]['hubloc_url'];
 
 		// Also check that they are coming from the same site as they authenticated with originally.
@@ -210,6 +212,8 @@ function post_init(&$a) {
 				}
 				if(array_key_exists('service_class',$j))
 					$remote_service_class = $j['service_class'];
+				if(array_key_exists('level',$j))
+					$remote_level = $j['level'];
 			}
 			// everything is good... maybe
 			if(local_user()) {
@@ -241,6 +245,7 @@ function post_init(&$a) {
 			$_SESSION['visitor_id'] = $x[0]['xchan_hash'];
 			$_SESSION['my_address'] = $address;
 			$_SESSION['remote_service_class'] = $remote_service_class;
+			$_SESSION['remote_level'] = $remote_level;
 			$_SESSION['remote_hub'] = $remote_hub;
 			
 			$arr = array('xchan' => $x[0], 'url' => $desturl, 'session' => $_SESSION);
-- 
cgit v1.2.3