From 72384ff2cb28afa74f93a15738fdbd95efe1443b Mon Sep 17 00:00:00 2001
From: zotlabs <mike@macgirvin.com>
Date: Tue, 12 Mar 2019 15:17:25 -0700
Subject: add owner permission checks to AS item fetch

---
 Zotlabs/Module/Item.php | 39 +++++++++++++++++++++++++++++++++++++--
 1 file changed, 37 insertions(+), 2 deletions(-)

(limited to 'Zotlabs/Module/Item.php')

diff --git a/Zotlabs/Module/Item.php b/Zotlabs/Module/Item.php
index b247df0fd..980d7308d 100644
--- a/Zotlabs/Module/Item.php
+++ b/Zotlabs/Module/Item.php
@@ -62,9 +62,44 @@ class Item extends Controller {
 
 			$sql_extra = item_permissions_sql(0);
 
-			$r = q("select * from item where mid = '%s' $item_normal $sql_extra limit 1",
-				dbesc(z_root() . '/item/' . $item_id)
+			$r = null;
+
+
+			// first see if we have this item owned by the current signer
+
+			$x = q("select * from xchan where xchan_hash = '%s'",
+				dbesc($sigdata['portable_id'])
 			);
+
+			if ($x) {
+
+				// include xchans for all zot-like networks - these will have the same guid and public key
+
+				$xchans = q("select xchan_hash from xchan where xchan_hash = '%s' OR ( xchan_guid = '%s' AND xchan_pubkey = '%s' ) ",
+					dbesc($sigdata['portable_id']),
+					dbesc($x[0]['xchan_guid']),
+					dbesc($x[0]['xchan_pubkey'])
+				);
+
+				if ($xchans) {
+					$hashes = ids_to_querystr($xchans,'xchan_hash',true);
+					$r = q("select * from item where mid = '%s' $item_normal and owner_xchan in ( " . protect_sprintf($hashes) . " ) ",
+						dbesc(z_root() . '/item/' . $item_id)
+					);
+				}
+			}
+			
+			// then see if we can access it as a visitor
+
+			if (! $r) {
+
+				$r = q("select * from item where mid = '%s' $item_normal $sql_extra limit 1",
+					dbesc(z_root() . '/item/' . $item_id)
+				);
+			}
+
+			// fetch once more with no extra conditions to see what error condition applies
+
 			if(! $r) {
 
 
-- 
cgit v1.2.3