From 32423a7706c45d0d7187444f50eac33ca4fdfaa0 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Mon, 30 Apr 2018 22:30:59 -0700 Subject: parent folder permissions weren't being checked back to the cloud root directory in all cases --- Zotlabs/Module/Photo.php | 70 +++++++++++++++--------------------------------- 1 file changed, 21 insertions(+), 49 deletions(-) (limited to 'Zotlabs/Module/Photo.php') diff --git a/Zotlabs/Module/Photo.php b/Zotlabs/Module/Photo.php index 8a110f925..b3171fe75 100644 --- a/Zotlabs/Module/Photo.php +++ b/Zotlabs/Module/Photo.php @@ -127,69 +127,45 @@ class Photo extends \Zotlabs\Web\Controller { } } - $r = q("SELECT uid FROM photo WHERE resource_id = '%s' AND imgscale = %d LIMIT 1", + $r = q("SELECT uid, photo_usage FROM photo WHERE resource_id = '%s' AND imgscale = %d LIMIT 1", dbesc($photo), intval($resolution) ); if($r) { - - $allowed = (($r[0]['uid']) ? perm_is_allowed($r[0]['uid'],$observer_xchan,'view_storage') : true); - - $sql_extra = permissions_sql($r[0]['uid']); - if(! $sql_extra) - $sql_extra = ' and true '; - - // Only check permissions on normal photos. Those photos we don't check includes - // profile photos, xchan photos (which are also profile photos), 'thing' photos, - // and cover photos - - $sql_extra = " and (( photo_usage = 0 $sql_extra ) or photo_usage != 0 )"; + $allowed = (-1); + if(intval($r[0]['photo_usage'])) { + $allowed = 1; + if(intval($r[0]['photo_usage']) === PHOTO_COVER) + if($resolution < PHOTO_RES_COVER_1200) + $allowed = (-1); + if(intval($r[0]['photo_usage']) === PHOTO_PROFILE) + if(! in_array($resolution,[4,5,6])) + $allowed = (-1); + } + if($allowed === (-1)) + $allowed = attach_can_view($r[0]['uid'],$observer_xchan,$photo); + $channel = channelx_by_n($r[0]['uid']); // Now we'll see if we can access the photo - $r = q("SELECT * FROM photo WHERE resource_id = '%s' AND imgscale = %d $sql_extra LIMIT 1", + $e = q("SELECT * FROM photo WHERE resource_id = '%s' AND imgscale = %d $sql_extra LIMIT 1", dbesc($photo), intval($resolution) ); - // viewing cover photos is allowed unless a plugin chooses to block it. - - if($r && intval($r[0]['photo_usage']) === PHOTO_COVER && $resolution >= PHOTO_RES_COVER_1200) - $allowed = 1; - - $d = [ 'imgscale' => $resolution, 'resource_id' => $photo, 'photo' => $r, 'allowed' => $allowed ]; - call_hooks('get_photo',$d); + $exists = (($e) ? true : false); - $resolution = $d['imgscale']; - $photo = $d['resource_id']; - $r = $d['photo']; - $allowed = $d['allowed']; - - if($r && $allowed) { - $data = dbunescbin($r[0]['content']); - $mimetype = $r[0]['mimetype']; - if(intval($r[0]['os_storage'])) { + if($exists && $allowed) { + $data = dbunescbin($e[0]['content']); + $mimetype = $e[0]['mimetype']; + if(intval($e[0]['os_storage'])) { $streaming = $data; } } else { - - // Does the picture exist? It may be a remote person with no credentials, - // but who should otherwise be able to view it. Show a default image to let - // them know permissions was denied. It may be possible to view the image - // through an authenticated profile visit. - // There won't be many completely unauthorised people seeing this because - // they won't have the photo link, so there's a reasonable chance that the person - // might be able to obtain permission to view it. - - $r = q("SELECT * FROM photo WHERE resource_id = '%s' AND imgscale = %d LIMIT 1", - dbesc($photo), - intval($resolution) - ); - - if($r) { + if(! $allowed) { logger('mod_photo: forbidden. ' . \App::$query_string); $observer = \App::get_observer(); logger('mod_photo: observer = ' . (($observer) ? $observer['xchan_addr'] : '(not authenticated)')); @@ -201,9 +177,6 @@ class Photo extends \Zotlabs\Web\Controller { } } - - - if(! isset($data)) { if(isset($resolution)) { switch($resolution) { @@ -295,7 +268,6 @@ class Photo extends \Zotlabs\Web\Controller { } killme(); - // NOTREACHED } } -- cgit v1.2.3 From 83c18f4d4a5f4f767e2d9073a8962c0dc9fc6fb8 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Sun, 6 May 2018 16:12:06 -0700 Subject: Back in the day there were good reasons for showing a permission denied photo instead of a null img. It distinguished a 403 from a 404 in an unmistakable way. What we've discovered is that nothing that is gained from this knowledge and it mostly just annoys and confuses people who can't really do anything about it except to express their annoyance/confusion. So just do a 403/404 instead. --- Zotlabs/Module/Photo.php | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'Zotlabs/Module/Photo.php') diff --git a/Zotlabs/Module/Photo.php b/Zotlabs/Module/Photo.php index b3171fe75..9cafc8d07 100644 --- a/Zotlabs/Module/Photo.php +++ b/Zotlabs/Module/Photo.php @@ -144,9 +144,11 @@ class Photo extends \Zotlabs\Web\Controller { if(! in_array($resolution,[4,5,6])) $allowed = (-1); } - if($allowed === (-1)) + + if($allowed === (-1)) { $allowed = attach_can_view($r[0]['uid'],$observer_xchan,$photo); - + } + $channel = channelx_by_n($r[0]['uid']); // Now we'll see if we can access the photo @@ -166,13 +168,12 @@ class Photo extends \Zotlabs\Web\Controller { } else { if(! $allowed) { - logger('mod_photo: forbidden. ' . \App::$query_string); - $observer = \App::get_observer(); - logger('mod_photo: observer = ' . (($observer) ? $observer['xchan_addr'] : '(not authenticated)')); - $data = file_get_contents('images/nosign.png'); - $mimetype = 'image/png'; - $prvcachecontrol = true; + http_status_exit(403,'forbidden'); + } + if(! $exists) { + http_status_exit(404,'not found'); } + } } } -- cgit v1.2.3 From de63e40a704761c2efd1e04e1313a37c43fef20e Mon Sep 17 00:00:00 2001 From: Mario Vavti Date: Tue, 15 May 2018 10:20:20 +0200 Subject: we must now provide the full path to the profile image for the cavatar plugin to work --- Zotlabs/Module/Photo.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'Zotlabs/Module/Photo.php') diff --git a/Zotlabs/Module/Photo.php b/Zotlabs/Module/Photo.php index 9cafc8d07..ccc59ed09 100644 --- a/Zotlabs/Module/Photo.php +++ b/Zotlabs/Module/Photo.php @@ -31,7 +31,7 @@ class Photo extends \Zotlabs\Web\Controller { $observer_xchan = get_observer_hash(); - $default = get_default_profile_photo(); + $default = z_root() . '/' . get_default_profile_photo(); if(isset($type)) { @@ -45,11 +45,11 @@ class Photo extends \Zotlabs\Web\Controller { case 'm': $resolution = 5; - $default = get_default_profile_photo(80); + $default = z_root() . '/' . get_default_profile_photo(80); break; case 's': $resolution = 6; - $default = get_default_profile_photo(48); + $default = z_root() . '/' . get_default_profile_photo(48); break; case 'l': default: @@ -183,15 +183,15 @@ class Photo extends \Zotlabs\Web\Controller { switch($resolution) { case 4: - $data = file_get_contents(get_default_profile_photo()); + $data = file_get_contents(z_root() . '/' . get_default_profile_photo()); $mimetype = 'image/png'; break; case 5: - $data = file_get_contents(get_default_profile_photo(80)); + $data = file_get_contents(z_root() . '/' . get_default_profile_photo(80)); $mimetype = 'image/png'; break; case 6: - $data = file_get_contents(get_default_profile_photo(48)); + $data = file_get_contents(z_root() . '/' . get_default_profile_photo(48)); $mimetype = 'image/png'; break; default: -- cgit v1.2.3 From aac5fd96cc9ea03a329234f6b2bd8b12a0f4ae5f Mon Sep 17 00:00:00 2001 From: zotlabs Date: Tue, 15 May 2018 16:51:04 -0700 Subject: provide function to fetch photo contents from url --- Zotlabs/Module/Photo.php | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) (limited to 'Zotlabs/Module/Photo.php') diff --git a/Zotlabs/Module/Photo.php b/Zotlabs/Module/Photo.php index ccc59ed09..29ad06e80 100644 --- a/Zotlabs/Module/Photo.php +++ b/Zotlabs/Module/Photo.php @@ -83,7 +83,7 @@ class Photo extends \Zotlabs\Web\Controller { $data = file_get_contents($data); } if(! $data) { - $data = file_get_contents($default); + $data = fetch_image_from_url($default,$mimetype); } if(! $mimetype) { $mimetype = 'image/png'; @@ -183,16 +183,13 @@ class Photo extends \Zotlabs\Web\Controller { switch($resolution) { case 4: - $data = file_get_contents(z_root() . '/' . get_default_profile_photo()); - $mimetype = 'image/png'; + $data = fetch_image_from_url(z_root() . '/' . get_default_profile_photo(),$mimetype); break; case 5: - $data = file_get_contents(z_root() . '/' . get_default_profile_photo(80)); - $mimetype = 'image/png'; + $data = fetch_image_from_url(z_root() . '/' . get_default_profile_photo(80),$mimetype); break; case 6: - $data = file_get_contents(z_root() . '/' . get_default_profile_photo(48)); - $mimetype = 'image/png'; + $data = fetch_image_from_url(z_root() . '/' . get_default_profile_photo(48),$mimetype); break; default: killme(); -- cgit v1.2.3 From 12c571a1878348c77362a345853eb9575943ef38 Mon Sep 17 00:00:00 2001 From: Mario Vavti Date: Wed, 16 May 2018 10:47:18 +0200 Subject: missing include --- Zotlabs/Module/Photo.php | 1 + 1 file changed, 1 insertion(+) (limited to 'Zotlabs/Module/Photo.php') diff --git a/Zotlabs/Module/Photo.php b/Zotlabs/Module/Photo.php index 29ad06e80..f348866d9 100644 --- a/Zotlabs/Module/Photo.php +++ b/Zotlabs/Module/Photo.php @@ -4,6 +4,7 @@ namespace Zotlabs\Module; require_once('include/security.php'); require_once('include/attach.php'); require_once('include/photo/photo_driver.php'); +require_once('include/photos.php'); class Photo extends \Zotlabs\Web\Controller { -- cgit v1.2.3 From dae89ce91c65679003d10da113a45f3ff37a8d39 Mon Sep 17 00:00:00 2001 From: zotlabs Date: Fri, 18 May 2018 16:57:45 -0700 Subject: wrong default param for pubstream_incl (this checkin also picked up a few minor and hopefully non-significant changes) --- Zotlabs/Module/Photo.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'Zotlabs/Module/Photo.php') diff --git a/Zotlabs/Module/Photo.php b/Zotlabs/Module/Photo.php index f348866d9..8efc00707 100644 --- a/Zotlabs/Module/Photo.php +++ b/Zotlabs/Module/Photo.php @@ -14,7 +14,8 @@ class Photo extends \Zotlabs\Web\Controller { $prvcachecontrol = false; $streaming = null; $channel = null; - + $person = 0; + switch(argc()) { case 4: $person = argv(3); @@ -31,7 +32,7 @@ class Photo extends \Zotlabs\Web\Controller { } $observer_xchan = get_observer_hash(); - + $default = z_root() . '/' . get_default_profile_photo(); if(isset($type)) { -- cgit v1.2.3