From e20c5cf9cf56eaf6af23676996fa8a1d63208899 Mon Sep 17 00:00:00 2001 From: Max Kostikov Date: Fri, 5 Apr 2019 14:10:48 +0200 Subject: Prevent return wrong profile photo modification date by plugin --- Zotlabs/Module/Photo.php | 44 +++++++++++++++++++++++--------------------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/Zotlabs/Module/Photo.php b/Zotlabs/Module/Photo.php index 96a4e1f40..c31e63262 100644 --- a/Zotlabs/Module/Photo.php +++ b/Zotlabs/Module/Photo.php @@ -71,29 +71,31 @@ class Photo extends \Zotlabs\Web\Controller { $modified = filemtime($default); $default = z_root() . '/' . $default; $uid = $person; + + $data = ''; - $d = [ 'imgscale' => $resolution, 'channel_id' => $uid, 'default' => $default, 'data' => '', 'mimetype' => '' ]; - call_hooks('get_profile_photo',$d); - - $resolution = $d['imgscale']; - $uid = $d['channel_id']; - $default = $d['default']; - $data = $d['data']; - $mimetype = $d['mimetype']; - + $r = q("SELECT * FROM photo WHERE imgscale = %d AND uid = %d AND photo_usage = %d LIMIT 1", + intval($resolution), + intval($uid), + intval(PHOTO_PROFILE) + ); + if($r) { + $modified = strtotime($r[0]['edited'] . "Z"); + $data = dbunescbin($r[0]['content']); + $mimetype = $r[0]['mimetype']; + } + if(intval($r[0]['os_storage'])) + $data = file_get_contents($data); + if(! $data) { - $r = q("SELECT * FROM photo WHERE imgscale = %d AND uid = %d AND photo_usage = %d LIMIT 1", - intval($resolution), - intval($uid), - intval(PHOTO_PROFILE) - ); - if($r) { - $modified = strtotime($r[0]['edited'] . "Z"); - $data = dbunescbin($r[0]['content']); - $mimetype = $r[0]['mimetype']; - } - if(intval($r[0]['os_storage'])) - $data = file_get_contents($data); + $d = [ 'imgscale' => $resolution, 'channel_id' => $uid, 'default' => $default, 'data' => '', 'mimetype' => '' ]; + call_hooks('get_profile_photo',$d); + + $resolution = $d['imgscale']; + $uid = $d['channel_id']; + $default = $d['default']; + $data = $d['data']; + $mimetype = $d['mimetype']; } if(! $data) { -- cgit v1.2.3 From bd95c7b82afee463ffc1e2687f234df1d05e57f7 Mon Sep 17 00:00:00 2001 From: Max Kostikov Date: Fri, 5 Apr 2019 14:15:40 +0200 Subject: Update Photo.php --- Zotlabs/Module/Photo.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Zotlabs/Module/Photo.php b/Zotlabs/Module/Photo.php index c31e63262..f397b952f 100644 --- a/Zotlabs/Module/Photo.php +++ b/Zotlabs/Module/Photo.php @@ -82,10 +82,11 @@ class Photo extends \Zotlabs\Web\Controller { if($r) { $modified = strtotime($r[0]['edited'] . "Z"); $data = dbunescbin($r[0]['content']); - $mimetype = $r[0]['mimetype']; + if(intval($r[0]['os_storage'])) + $data = file_get_contents($data); + else + $data = dbunescbin($r[0]['content']); } - if(intval($r[0]['os_storage'])) - $data = file_get_contents($data); if(! $data) { $d = [ 'imgscale' => $resolution, 'channel_id' => $uid, 'default' => $default, 'data' => '', 'mimetype' => '' ]; -- cgit v1.2.3 From ea4b4ddce46601ccd8adbb5ce5e127730f4b1e29 Mon Sep 17 00:00:00 2001 From: Max Kostikov Date: Fri, 5 Apr 2019 14:17:39 +0200 Subject: Update Photo.php --- Zotlabs/Module/Photo.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Zotlabs/Module/Photo.php b/Zotlabs/Module/Photo.php index f397b952f..5a926ca6f 100644 --- a/Zotlabs/Module/Photo.php +++ b/Zotlabs/Module/Photo.php @@ -81,7 +81,7 @@ class Photo extends \Zotlabs\Web\Controller { ); if($r) { $modified = strtotime($r[0]['edited'] . "Z"); - $data = dbunescbin($r[0]['content']); + $mimetype = $r[0]['mimetype']; if(intval($r[0]['os_storage'])) $data = file_get_contents($data); else -- cgit v1.2.3 From 8e0b9b82e9e6791d264703e5b823f8cbd5504dff Mon Sep 17 00:00:00 2001 From: Max Kostikov Date: Fri, 5 Apr 2019 14:21:05 +0200 Subject: Update Photo.php --- Zotlabs/Module/Photo.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Zotlabs/Module/Photo.php b/Zotlabs/Module/Photo.php index 5a926ca6f..6912322aa 100644 --- a/Zotlabs/Module/Photo.php +++ b/Zotlabs/Module/Photo.php @@ -80,12 +80,12 @@ class Photo extends \Zotlabs\Web\Controller { intval(PHOTO_PROFILE) ); if($r) { - $modified = strtotime($r[0]['edited'] . "Z"); - $mimetype = $r[0]['mimetype']; + $modified = strtotime($r[0]['edited'] . "Z"); + $mimetype = $r[0]['mimetype']; if(intval($r[0]['os_storage'])) - $data = file_get_contents($data); - else - $data = dbunescbin($r[0]['content']); + $data = file_get_contents($data); + else + $data = dbunescbin($r[0]['content']); } if(! $data) { -- cgit v1.2.3 From 5a46f1229d9ba88d8887d4c41f0253d1c0bc6c98 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Fri, 5 Apr 2019 16:46:52 -0700 Subject: security: perms_pending not evaluated correctly --- include/permissions.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/include/permissions.php b/include/permissions.php index 115d96eca..1dcd6accb 100644 --- a/include/permissions.php +++ b/include/permissions.php @@ -192,7 +192,7 @@ function get_all_perms($uid, $observer_xchan, $check_siteblock = true, $default_ // They are in your address book, but haven't been approved - if($channel_perm & PERMS_PENDING) { + if($channel_perm & PERMS_PENDING && (! intval($x[0]['abook_pseudo']))) { $ret[$perm_name] = true; continue; } @@ -316,6 +316,7 @@ function perm_is_allowed($uid, $observer_xchan, $permission, $check_siteblock = if(! $x) { // not in address book and no guest token, see if they've got an xchan + $y = q("select xchan_network from xchan where xchan_hash = '%s' limit 1", dbesc($observer_xchan) ); @@ -327,7 +328,6 @@ function perm_is_allowed($uid, $observer_xchan, $permission, $check_siteblock = } $abperms = load_abconfig($uid,$observer_xchan,'my_perms'); } - // system is blocked to anybody who is not authenticated @@ -382,7 +382,7 @@ function perm_is_allowed($uid, $observer_xchan, $permission, $check_siteblock = // They are in your address book, but haven't been approved - if($channel_perm & PERMS_PENDING) { + if($channel_perm & PERMS_PENDING && (! intval($x[0]['abook_pseudo']))) { return true; } -- cgit v1.2.3