From 6be6b41a421f86579164288ea2fa7cebb6edd9d4 Mon Sep 17 00:00:00 2001 From: friendica Date: Sun, 14 Sep 2014 17:07:39 -0700 Subject: privacy issue - restrictive stream permission setting with a non-targetted post cannot be enforced on remote networks. Restrict these posts to zot network. --- include/items.php | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/include/items.php b/include/items.php index 166303cac..beec65d8a 100755 --- a/include/items.php +++ b/include/items.php @@ -68,13 +68,31 @@ function collect_recipients($item,&$private_envelope) { $private_envelope = false; if(array_key_exists('public_policy',$item) && $item['public_policy'] !== 'self') { - $r = q("select abook_xchan from abook where abook_channel = %d and not (abook_flags & %d) ", + $r = q("select abook_xchan, xchan_network from abook left join xchan on abook_xchan = xchan_hash where abook_channel = %d and not (abook_flags & %d) ", intval($item['uid']), intval(ABOOK_FLAG_SELF|ABOOK_FLAG_PENDING|ABOOK_FLAG_ARCHIVED) ); if($r) { + + // filter out restrictive public_policy settings from remote networks + // which don't have this concept and will treat them as public. + + $policy = substr($item['public_policy'],0,3); foreach($r as $rr) { - $recipients[] = $rr['abook_xchan']; + switch($policy) { + case 'net': + case 'aut': + case 'sit': + case 'any': + case 'con': + if($rr['xchan_network'] != 'zot') + break; + case 'pub': + case '': + default: + $recipients[] = $rr['abook_xchan']; + break; + } } } } -- cgit v1.2.3