From db8ebc9f375478bddc0f48d972e3acfbde80685a Mon Sep 17 00:00:00 2001 From: friendica Date: Thu, 9 Jan 2014 15:45:17 -0800 Subject: some minor cleanup on plinks for some very subtle permissions issues --- include/activities.php | 2 ++ include/event.php | 2 ++ include/items.php | 18 ++++++++++-------- include/photos.php | 5 +++++ mod/channel.php | 24 ++++-------------------- mod/item.php | 6 +++++- mod/like.php | 1 + mod/mood.php | 7 ++++++- mod/photos.php | 9 ++++++++- 9 files changed, 43 insertions(+), 31 deletions(-) diff --git a/include/activities.php b/include/activities.php index 73180eae0..4502b758e 100644 --- a/include/activities.php +++ b/include/activities.php @@ -24,6 +24,8 @@ function profile_activity($changed, $value) { $arr['item_flags'] = ITEM_WALL|ITEM_ORIGIN|ITEM_THREAD_TOP; $arr['verb'] = ACTIVITY_UPDATE; $arr['obj_type'] = ACTIVITY_OBJ_PROFILE; + + $arr['$plink'] = z_root() . '/channel/' . $self['channel_address'] . '/?f=&mid=' . $arr['mid']; $A = '[url=' . z_root() . '/channel/' . $self['channel_address'] . ']' . $self['channel_name'] . '[/url]'; diff --git a/include/event.php b/include/event.php index 20c5de09c..08b94dafa 100644 --- a/include/event.php +++ b/include/event.php @@ -337,6 +337,8 @@ function event_store($arr) { $item_arr['obj_type'] = ACTIVITY_OBJ_EVENT; $item_arr['body'] = format_event_bbcode($arr); + $item_arr['plink'] = z_root() . '/channel/' . $z[0]['channel_address'] . '/?f=&mid=' . $item_arr['mid']; + $x = q("select * from xchan where xchan_hash = '%s' limit 1", dbesc($arr['event_xchan']) ); diff --git a/include/items.php b/include/items.php index d5eea1e6f..9a1e5f81b 100755 --- a/include/items.php +++ b/include/items.php @@ -243,6 +243,12 @@ function post_activity_item($arr) { $arr['comment_policy'] = map_scope($channel['channel_w_comment']); + + if ((! $arr['plink']) && ($arr['item_flags'] & ITEM_THREAD_TOP)) { + $arr['plink'] = z_root() . '/channel/' . $channel['channel_address'] . '/?f=&mid=' . $arr['mid']; + } + + // for the benefit of plugins, we will behave as if this is an API call rather than a normal online post $_REQUEST['api_source'] = 1; @@ -1602,14 +1608,10 @@ function item_store($arr,$allow_exec = false) { $arr['llink'] = z_root() . '/display/' . $arr['mid']; - if((! $arr['plink'])) { - if (local_user() && ($arr['item_flags'] & ITEM_THREAD_TOP)) { - $channel = get_app()->get_channel(); - $arr['plink'] = z_root() . '/channel/' . $channel['channel_address'] . '/?mid=' . $arr['mid']; - } else { - $arr['plink'] = $arr['llink']; - } - } + if(! $arr['plink']) + $arr['plink'] = $arr['llink']; + + if($arr['parent_mid'] === $arr['mid']) { $parent_id = 0; diff --git a/include/photos.php b/include/photos.php index e4367bf95..5c03b2cdb 100644 --- a/include/photos.php +++ b/include/photos.php @@ -216,6 +216,9 @@ function photo_upload($channel, $observer, $args) { $arr['deny_gid'] = $str_group_deny; $arr['verb'] = ACTIVITY_POST; + $arr['plink'] = z_root() . '/channel/' . $channel['channel_address'] . '/?f=&mid=' . $arr['mid']; + + $arr['body'] = '[zrl=' . z_root() . '/photos/' . $channel['channel_address'] . '/image/' . $photo_hash . ']' . '[zmg]' . z_root() . "/photo/{$photo_hash}-{$smallest}.".$ph->getExt() . '[/zmg]' . '[/zrl]'; @@ -407,6 +410,8 @@ function photos_create_item($channel, $creator_hash, $photo, $visible = false) { $arr['allow_gid'] = $photo['allow_gid']; $arr['deny_cid'] = $photo['deny_cid']; $arr['deny_gid'] = $photo['deny_gid']; + + $arr['plink'] = z_root() . '/channel/' . $channel['channel_address'] . '/?f=&mid=' . $arr['mid']; $arr['body'] = '[zrl=' . z_root() . '/photos/' . $channel['channel_address'] . '/image/' . $photo['resource_id'] . ']' . '[zmg]' . z_root() . '/photo/' . $photo['resource_id'] . '-' . $photo['scale'] . '[/zmg]' diff --git a/mod/channel.php b/mod/channel.php index 8e44a329b..20f6fec18 100644 --- a/mod/channel.php +++ b/mod/channel.php @@ -104,7 +104,7 @@ function channel_content(&$a, $update = 0, $load = false) { ); - if($perms['post_wall'] && (!$mid)) { + if($perms['post_wall']) { $x = array( 'is_owner' => $is_owner, @@ -135,8 +135,9 @@ function channel_content(&$a, $update = 0, $load = false) { if(($update) && (! $load)) { if ($mid) { - $r = q("SELECT parent AS item_id from item where mid = '%s' limit 1", - dbesc($mid) + $r = q("SELECT parent AS item_id from item where mid = '%s' and uid = %d $sql_extra limit 1", + dbesc($mid), + intval($a->profile['profile_uid']) ); } else { $r = q("SELECT distinct parent AS `item_id` from item @@ -201,23 +202,6 @@ function channel_content(&$a, $update = 0, $load = false) { } } - if ($mid && $r) { - // make sure we don't show other people's posts from our matrix - // as $a->profile['channel_hash'] isn't set when a JS query comes in - // we have to do that with a join - $ismine = q("SELECT * from item - join channel on item.owner_xchan = channel.channel_hash - where item.id = %d and channel.channel_id = %d", - dbesc($r[0]['item_id']), - intval($a->profile['profile_uid']) - ); - if (!$ismine) { - if ($load) - notice( t('Permission denied.') . EOL); - $r = array(); - } - } - if($r) { $parents_str = ids_to_querystr($r,'item_id'); diff --git a/mod/item.php b/mod/item.php index 037c24835..915bed706 100644 --- a/mod/item.php +++ b/mod/item.php @@ -79,6 +79,7 @@ function item_post(&$a) { $layout_mid = ((x($_REQUEST,'layout_mid')) ? escape_tags($_REQUEST['layout_mid']): ''); $plink = ((x($_REQUEST,'permalink')) ? escape_tags($_REQUEST['permalink']) : ''); + /* Check service class limits */ @@ -605,9 +606,12 @@ function item_post(&$a) { $datarray = array(); if(! $parent) { - $datarray['parent_mid'] = $mid; $item_flags = $item_flags | ITEM_THREAD_TOP; } + + if ((! $plink) && ($item_flags & ITEM_THREAD_TOP)) { + $plink = z_root() . '/channel/' . $channel['channel_address'] . '/?f=&mid=' . $mid; + } $datarray['aid'] = $channel['channel_account_id']; $datarray['uid'] = $profile_uid; diff --git a/mod/like.php b/mod/like.php index 84b0a6592..007d1aee1 100755 --- a/mod/like.php +++ b/mod/like.php @@ -171,6 +171,7 @@ function like_content(&$a) { $arr['deny_cid'] = $item['deny_cid']; $arr['deny_gid'] = $item['deny_gid']; + $post = item_store($arr); $post_id = $post['item_id']; diff --git a/mod/mood.php b/mod/mood.php index 83b8bfb57..5075f622d 100755 --- a/mod/mood.php +++ b/mod/mood.php @@ -11,6 +11,7 @@ function mood_init(&$a) { return; $uid = local_user(); + $channel = $a->get_channel(); $verb = notags(trim($_GET['verb'])); if(! $verb) @@ -48,7 +49,6 @@ function mood_init(&$a) { else { $private = 0; - $channel = $a->get_channel(); $allow_cid = $channel['channel_allow_cid']; $allow_gid = $channel['channel_allow_gid']; @@ -84,6 +84,11 @@ function mood_init(&$a) { $arr['verb'] = $activity; $arr['body'] = $action; + if ((! $arr['plink']) && ($arr['item_flags'] & ITEM_THREAD_TOP)) { + $arr['plink'] = z_root() . '/channel/' . $channel['channel_address'] . '/?f=&mid=' . $arr['mid']; + } + + $post = item_store($arr); $item_id = $post['item_id']; diff --git a/mod/photos.php b/mod/photos.php index 51a680828..8099c71e6 100644 --- a/mod/photos.php +++ b/mod/photos.php @@ -472,7 +472,7 @@ function photos_post(&$a) { $mid = item_message_id(); $arr = array(); - +//FIXME $arr['uid'] = $page_owner_uid; $arr['mid'] = $mid; $arr['parent_mid'] = $mid; @@ -511,6 +511,13 @@ function photos_post(&$a) { . $a->get_baseurl() . '/photos/' . $owner_record['nickname'] . '/image/' . $p[0]['resource_id'] . ''; $arr['target'] .= '' . xmlify('' . "\n" . '') . ''; + if ((! $arr['plink']) && ($arr['item_flags'] & ITEM_THREAD_TOP)) { + $arr['plink'] = z_root() . '/channel/' . $owner_record['channel_address'] . '/?f=&mid=' . $arr['mid']; + } + + + + $post = item_store($arr); $item_id = $post['item_id']; -- cgit v1.2.3