From 8d28649e1b64e8d4eb15fd3923020950a58966e7 Mon Sep 17 00:00:00 2001 From: Mario Date: Mon, 6 Sep 2021 09:10:19 +0000 Subject: check the post_mail permission for direct messages --- Zotlabs/Lib/Activity.php | 14 +++++++++++++- Zotlabs/Lib/Libzot.php | 6 ++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/Zotlabs/Lib/Activity.php b/Zotlabs/Lib/Activity.php index 971381fb2..14d4a1d71 100644 --- a/Zotlabs/Lib/Activity.php +++ b/Zotlabs/Lib/Activity.php @@ -1815,12 +1815,19 @@ class Activity { } else { if (!perm_is_allowed($channel['channel_id'], $observer_hash, 'send_stream') && !$is_sys_channel) { - logger('no permission'); + logger('no send_stream permission'); return; } $s['owner_xchan'] = $s['author_xchan'] = $observer_hash; } + if (intval($item['item_private']) === 2) { + if (!perm_is_allowed($channel['channel_id'], $observer_hash, 'post_mail')) { + logger('no post_mail permission'); + return; + } + } + $abook = q("select * from abook where abook_xchan = '%s' and abook_channel = %d limit 1", dbesc($observer_hash), intval($channel['channel_id']) @@ -2672,6 +2679,11 @@ class Activity { $allowed = true; } + if (intval($item['item_private']) === 2) { + if (!perm_is_allowed($channel['channel_id'], $observer_hash, 'post_mail')) { + $allowed = false; + } + } if ($is_sys_channel) { diff --git a/Zotlabs/Lib/Libzot.php b/Zotlabs/Lib/Libzot.php index cb55a4e67..9c232f34d 100644 --- a/Zotlabs/Lib/Libzot.php +++ b/Zotlabs/Lib/Libzot.php @@ -1601,6 +1601,12 @@ class Libzot { $friendofriend = true; } + if (intval($arr['item_private']) === 2) { + if (!perm_is_allowed($channel['channel_id'], $sender, 'post_mail')) { + $allowed = false; + } + } + if (!$allowed) { logger("permission denied for delivery to channel {$channel['channel_id']} {$channel['channel_address']}"); $DR->update('permission denied'); -- cgit v1.2.3