From 0f7832dc30fb4d8aedd24b6ad8a9e48876a77dd0 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Mon, 13 Mar 2017 16:19:47 -0700 Subject: code_allowed is a real mess. Start the cleanup by remving the account level code allow and limiting to specific channels only. This reduces the possibility of cross channel security issues coming into play. Then provide a single function for checking the code permission. This is only partially done as we often need to check against the observer or logged in channel as well as the resource owner to ensure that this only returns true for local channels which also own the requested resource. --- Zotlabs/Module/Item.php | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) (limited to 'Zotlabs/Module/Item.php') diff --git a/Zotlabs/Module/Item.php b/Zotlabs/Module/Item.php index 6f54d3bb1..43cf535a4 100644 --- a/Zotlabs/Module/Item.php +++ b/Zotlabs/Module/Item.php @@ -478,17 +478,8 @@ class Item extends \Zotlabs\Web\Controller { // Verify ability to use html or php!!! - $execflag = false; - - $z = q("select account_id, account_roles, channel_pageflags from account left join channel on channel_account_id = account_id where channel_id = %d limit 1", - intval($profile_uid) - ); - if($z && (($z[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE) || ($z[0]['channel_pageflags'] & PAGE_ALLOWCODE))) { - if($uid && (get_account_id() == $z[0]['account_id'])) { - $execflag = true; - } - } - + $execflag = ((intval($channel['channel_id']) == intval($profile_uid) && ($channel['channel_pageflags'] & PAGE_ALLOWCODE)) ? true : false); + $gacl = $acl->get(); $str_contact_allow = $gacl['allow_cid']; $str_group_allow = $gacl['allow_gid']; -- cgit v1.2.3