From cd65d172baab020802421db8e5b5d54033dafaa8 Mon Sep 17 00:00:00 2001 From: zottel Date: Thu, 9 Jan 2014 15:59:42 +0100 Subject: urlencode query_string for magic auth to make sure GET params make it back to the originating server --- include/identity.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/identity.php b/include/identity.php index 5e25244e6..9fba55da5 100644 --- a/include/identity.php +++ b/include/identity.php @@ -1023,7 +1023,7 @@ function zid_init(&$a) { dbesc($tmp_str) ); // try to avoid recursion - but send them home to do a proper magic auth - $dest = '/' . $a->query_string; + $dest = '/' . urlencode($a->query_string); $dest = str_replace(array('?zid=','&zid='),array('?rzid=','&rzid='),$dest); if($r && ($r[0]['hubloc_url'] != z_root()) && (! strstr($dest,'/magic')) && (! strstr($dest,'/rmagic'))) { goaway($r[0]['hubloc_url'] . '/magic' . '?f=&rev=1&dest=' . z_root() . $dest); @@ -1140,4 +1140,4 @@ function is_foreigner($s) { function is_member($s) { return((is_foreigner($s)) ? false : true); -} \ No newline at end of file +} -- cgit v1.2.3 From c0f6d7319524f8fb8bac764d6e2f306335d2266b Mon Sep 17 00:00:00 2001 From: zottel Date: Thu, 9 Jan 2014 16:02:40 +0100 Subject: save channel//?mid=... plinks with the items --- include/items.php | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/include/items.php b/include/items.php index 781956882..883458b6e 100755 --- a/include/items.php +++ b/include/items.php @@ -1602,8 +1602,15 @@ function item_store($arr,$allow_exec = false) { $arr['llink'] = z_root() . '/display/' . $arr['mid']; - if(! $arr['plink']) - $arr['plink'] = $arr['llink']; + if(! $arr['plink']) { + if (local_user()){ + $channel = get_app()->get_channel(); + $arr['plink'] = z_root() . '/channel/' . $channel['channel_address'] . '/?mid=' . $arr['mid']; + } else { + // can this ever happen? + $arr['plink'] = $arr['llink']; + } + } if($arr['parent_mid'] === $arr['mid']) { $parent_id = 0; -- cgit v1.2.3 From 5d83855afdd4ebf770462de7520e72ffb9c6c1c2 Mon Sep 17 00:00:00 2001 From: zottel Date: Thu, 9 Jan 2014 16:04:51 +0100 Subject: use plinks instead of llinks on network/ and channel/ pages, though not in mode network-new (network/new and network/search) --- include/text.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/text.php b/include/text.php index 8b71fbddf..b47f0518a 100755 --- a/include/text.php +++ b/include/text.php @@ -1391,7 +1391,7 @@ function feed_salmonlinks($nick) { function get_plink($item,$mode) { $a = get_app(); - if($mode == 'display') + if(($mode == 'display') || ($mode == 'channel') || ($mode == 'network')) $key = 'plink'; else $key = 'llink'; -- cgit v1.2.3 From a517a27d53cc3eb29c004279c73de84f764574aa Mon Sep 17 00:00:00 2001 From: zottel Date: Thu, 9 Jan 2014 16:06:33 +0100 Subject: fix a bug that made it possible for everyone to access any message from other channels using channel//?mid=... --- mod/channel.php | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/mod/channel.php b/mod/channel.php index 205a89fa3..27f1cbdc6 100644 --- a/mod/channel.php +++ b/mod/channel.php @@ -138,6 +138,17 @@ function channel_content(&$a, $update = 0, $load = false) { $r = q("SELECT parent AS item_id from item where mid = '%s' limit 1", dbesc($mid) ); +logger("update "); + if ($r) { + // make sure we don't show other people's posts from our matrix + $parent = q("SELECT owner_xchan from item where id = %d", + dbesc($r[0]['item_id']) + ); +logger("update "); +logger($parent); + if ($parent['owner_xchan'] != $a->profile['channel_hash']) + $r = array(); + } } else { $r = q("SELECT distinct parent AS `item_id` from item left join abook on item.author_xchan = abook.abook_xchan @@ -177,6 +188,7 @@ function channel_content(&$a, $update = 0, $load = false) { $r = q("SELECT parent AS item_id from item where mid = '%s' limit 1", dbesc($mid) ); +logger("load "); } else { $r = q("SELECT distinct id AS item_id FROM item left join abook on item.author_xchan = abook.abook_xchan @@ -197,6 +209,20 @@ function channel_content(&$a, $update = 0, $load = false) { } } + if ($mid && $r) { + // make sure we don't show other people's posts from our matrix + // as $a->profile['channel_hash'] isn't set when a JS query comes in + // we have to do that with a join + $ismine = q("SELECT * from item + join channel on item.owner_xchan = channel.channel_hash + where item.id = %d and channel.channel_id = %d", + dbesc($r[0]['item_id']), + intval($a->profile['profile_uid']) + ); + if (!$ismine) + $r = array(); + } + if($r) { $parents_str = ids_to_querystr($r,'item_id'); -- cgit v1.2.3 From ab81458768f5989779e2ae1e74bfc5ba2d0bac0c Mon Sep 17 00:00:00 2001 From: zottel Date: Thu, 9 Jan 2014 16:18:17 +0100 Subject: took out some left-overs from the debugging phase --- mod/channel.php | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/mod/channel.php b/mod/channel.php index 27f1cbdc6..458783b18 100644 --- a/mod/channel.php +++ b/mod/channel.php @@ -138,17 +138,6 @@ function channel_content(&$a, $update = 0, $load = false) { $r = q("SELECT parent AS item_id from item where mid = '%s' limit 1", dbesc($mid) ); -logger("update "); - if ($r) { - // make sure we don't show other people's posts from our matrix - $parent = q("SELECT owner_xchan from item where id = %d", - dbesc($r[0]['item_id']) - ); -logger("update "); -logger($parent); - if ($parent['owner_xchan'] != $a->profile['channel_hash']) - $r = array(); - } } else { $r = q("SELECT distinct parent AS `item_id` from item left join abook on item.author_xchan = abook.abook_xchan @@ -188,7 +177,6 @@ logger($parent); $r = q("SELECT parent AS item_id from item where mid = '%s' limit 1", dbesc($mid) ); -logger("load "); } else { $r = q("SELECT distinct id AS item_id FROM item left join abook on item.author_xchan = abook.abook_xchan -- cgit v1.2.3 From 5ee5bda998b47e82586c47de1d325508b57cefe5 Mon Sep 17 00:00:00 2001 From: zottel Date: Thu, 9 Jan 2014 17:06:28 +0100 Subject: fix notices --- mod/channel.php | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/mod/channel.php b/mod/channel.php index 458783b18..8e44a329b 100644 --- a/mod/channel.php +++ b/mod/channel.php @@ -177,6 +177,10 @@ function channel_content(&$a, $update = 0, $load = false) { $r = q("SELECT parent AS item_id from item where mid = '%s' limit 1", dbesc($mid) ); + if (! $r) { + notice( t('Item not found.') . EOL); + } + } else { $r = q("SELECT distinct id AS item_id FROM item left join abook on item.author_xchan = abook.abook_xchan @@ -207,8 +211,11 @@ function channel_content(&$a, $update = 0, $load = false) { dbesc($r[0]['item_id']), intval($a->profile['profile_uid']) ); - if (!$ismine) + if (!$ismine) { + if ($load) + notice( t('Permission denied.') . EOL); $r = array(); + } } if($r) { @@ -228,12 +235,10 @@ function channel_content(&$a, $update = 0, $load = false) { $items = fetch_post_tags($items, true); $items = conv_sort($items,'created'); - if ($mid && (! count($items))) { - // This will happen if channel is called with a mid from another - // channel, if we don't have sufficient permissions to view the - // item, or if it doesn't exist. - // Do we need separate error messages for that? - notice( t('Item not found.') . EOL); + if ($load && $mid && (! count($items))) { + // This will happen if we don't have sufficient permissions + // to view the parent item (or the item itself if it is toplevel) + notice( t('Permission denied.') . EOL); } } else { -- cgit v1.2.3 From acdf053a0bec73acaad3f6c0e0625aa860a4b9b3 Mon Sep 17 00:00:00 2001 From: zottel Date: Thu, 9 Jan 2014 17:29:04 +0100 Subject: use display/ plinks for comments --- include/items.php | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/include/items.php b/include/items.php index 883458b6e..d5eea1e6f 100755 --- a/include/items.php +++ b/include/items.php @@ -1602,12 +1602,11 @@ function item_store($arr,$allow_exec = false) { $arr['llink'] = z_root() . '/display/' . $arr['mid']; - if(! $arr['plink']) { - if (local_user()){ + if((! $arr['plink'])) { + if (local_user() && ($arr['item_flags'] & ITEM_THREAD_TOP)) { $channel = get_app()->get_channel(); $arr['plink'] = z_root() . '/channel/' . $channel['channel_address'] . '/?mid=' . $arr['mid']; } else { - // can this ever happen? $arr['plink'] = $arr['llink']; } } -- cgit v1.2.3