From 848e3f6c5d2aa10025fae11d1344c09c9adb84f9 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Wed, 28 Oct 2015 19:43:35 -0700 Subject: photos linked item visibility issue --- include/items.php | 2 +- include/photos.php | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/include/items.php b/include/items.php index 08be981e7..ce8e2b9b0 100755 --- a/include/items.php +++ b/include/items.php @@ -4792,7 +4792,7 @@ function items_fetch($arr,$channel = null,$observer_hash = null,$client_mode = C if($arr['mid']) $sql_options .= " and parent_mid = '" . dbesc($arr['mid']) . "' "; - $sql_extra = " AND item.parent IN ( SELECT parent FROM item WHERE item_thread_top = 1 $sql_options ) "; + $sql_extra = " AND item.parent IN ( SELECT parent FROM item WHERE item_thread_top = 1 $sql_options $item_normal ) "; if($arr['since_id']) $sql_extra .= " and item.id > " . $since_id . " "; diff --git a/include/photos.php b/include/photos.php index d62d5aeb8..84e734ced 100644 --- a/include/photos.php +++ b/include/photos.php @@ -379,6 +379,20 @@ function photo_upload($channel, $observer, $args) { $arr['plink'] = z_root() . '/channel/' . $channel['channel_address'] . '/?f=&mid=' . $arr['mid']; $arr['body'] = (($object) ? $args['body'] : $body . "\r\n" . $args['body']); + + // this one is tricky because the item and the photo have the same permissions, those of the photo. + // Use the channel read_stream permissions to get the correct public_policy for the item and recalculate the + // private flag accordingly. This may cause subtle bugs due to custom permissions roles. We want to use + // public policy when federating items to other sites, but should probably ignore them when accessing the item + // in the photos pages - using the photos permissions instead. We need the public policy to keep the photo + // linked item from leaking into the feed when somebody has a channel with read_stream restrictions. + + $arr['public_policy'] = map_scope($channel['channel_r_stream'],true)); + if($arr['public_policy']) + $arr['item_private'] = 1; + + + $result = item_store($arr); $item_id = $result['item_id']; -- cgit v1.2.3