From 1408e3da3bcb818134b76db338fb913ae0b54aa1 Mon Sep 17 00:00:00 2001
From: zotlabs <mike@macgirvin.com>
Date: Thu, 10 Aug 2017 21:08:07 -0700
Subject: prevent uploads to comments if the channel has a default private ACL.

---
 Zotlabs/Lib/ThreadItem.php   | 2 +-
 Zotlabs/Lib/ThreadStream.php | 9 ++++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

(limited to 'Zotlabs/Lib')

diff --git a/Zotlabs/Lib/ThreadItem.php b/Zotlabs/Lib/ThreadItem.php
index 4a66c84bc..2a9a7e779 100644
--- a/Zotlabs/Lib/ThreadItem.php
+++ b/Zotlabs/Lib/ThreadItem.php
@@ -739,7 +739,7 @@ class ThreadItem {
 			'$edvideo' => t('Video'),
 			'$preview' => t('Preview'), // ((feature_enabled($conv->get_profile_owner(),'preview')) ? t('Preview') : ''),
 			'$indent' => $indent,
-			'$can_upload' => perm_is_allowed($conv->get_profile_owner(),get_observer_hash(),'write_storage'),
+			'$can_upload' => (perm_is_allowed($conv->get_profile_owner(),get_observer_hash(),'write_storage') && $conv->is_uploadable()),
 			'$feature_encrypt' => ((feature_enabled($conv->get_profile_owner(),'content_encrypt')) ? true : false),
 			'$encrypt' => t('Encrypt text'),
 			'$cipher' => $conv->get_cipher(),
diff --git a/Zotlabs/Lib/ThreadStream.php b/Zotlabs/Lib/ThreadStream.php
index 35ccf4fdb..0465b20ef 100644
--- a/Zotlabs/Lib/ThreadStream.php
+++ b/Zotlabs/Lib/ThreadStream.php
@@ -28,9 +28,10 @@ class ThreadStream {
 	// wherein we've already prepared a top level item which doesn't look anything like
 	// a normal "post" item
 
-	public function __construct($mode, $preview, $prepared_item = '') {
+	public function __construct($mode, $preview, $uploadable, $prepared_item = '') {
 		$this->set_mode($mode);
 		$this->preview = $preview;
+		$this->uploadable = $uploadable;
 		$this->prepared_item = $prepared_item;
 		$c = ((local_channel()) ? get_pconfig(local_channel(),'system','default_cipher') : '');
 		if($c)
@@ -61,6 +62,7 @@ class ThreadStream {
 				// pull some trickery which allows us to re-invoke this function afterward
 				// it's an ugly hack so @FIXME
 				$this->writable = perm_is_allowed($this->profile_owner,$ob_hash,'post_comments');
+				$this->uploadable = false;
 				break;
 			case 'page':
 				$this->profile_owner = \App::$profile['uid'];
@@ -92,6 +94,11 @@ class ThreadStream {
 		return $this->commentable;
 	}
 
+	public function is_uploadable() {
+		return $this->uploadable;
+	}
+
+
 	/**
 	 * Check if page is a preview
 	 */
-- 
cgit v1.2.3