From 86eb923f296ff911e3f516e9052b3edc55a02c8a Mon Sep 17 00:00:00 2001
From: redmatrix <git@macgirvin.com>
Date: Sun, 31 Jul 2016 18:08:41 -0700
Subject: make guest access tokens work with PERMS_NETWORK, PERMS_SITE,
 PERMS_PENDING, and PERMS_CONTACTS; or everything but PERMS_SPECIFIC.
 PERMS_SITE could be contentious, but we're currently denying them as they are
 a guest and don't actually have a channel on this site. We can't easily make
 PERMS_SPECIFIC work without providing an abook entry for the guest since we
 would need to set specific permissions for the guest login, but unfortunately
 this could be the most desirable setting to use in many cases. There is also
 an update of hmessages.po in this commit.

---
 include/permissions.php | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'include/permissions.php')

diff --git a/include/permissions.php b/include/permissions.php
index 638bedb24..a1e05d120 100644
--- a/include/permissions.php
+++ b/include/permissions.php
@@ -1,4 +1,7 @@
 <?php
+
+require_once('include/security.php');
+
 /**
  * @file include/permissions.php
  *
@@ -123,6 +126,9 @@ function get_all_perms($uid, $observer_xchan, $internal_use = true) {
 					$y = q("select xchan_network from xchan where xchan_hash = '%s' limit 1",
 						dbesc($observer_xchan)
 					);
+					// no xchan either, see if they've got a guest access token
+					if(! $y)
+						$x = atoken_abook($uid,$observer_xchan);
 				}
 
 				$abook_checked = true;
@@ -332,6 +338,9 @@ function perm_is_allowed($uid, $observer_xchan, $permission) {
 			$y = q("select xchan_network from xchan where xchan_hash = '%s' limit 1",
 				dbesc($observer_xchan)
 			);
+			// no xchan either, see if they've got a guest access token
+			if(! $y)
+				$x = atoken_abook($uid,$observer_xchan);
 		}
 		$abperms = load_abconfig($uid,$observer_xchan,'my_perms');
 	}
-- 
cgit v1.2.3


From 3a7d3e3a542ef9297a8a20e3548f01f43fb37f0e Mon Sep 17 00:00:00 2001
From: redmatrix <git@macgirvin.com>
Date: Mon, 1 Aug 2016 20:12:52 -0700
Subject: This checkin should make all permission modes work correctly with
 atokens (they should be able to post content if allowed to). It also removes
 the strict linkage between permissions and connections so any individual
 permission can be set for any xchan; even those for which you have no
 connections.

---
 include/permissions.php | 56 ++++++++++++++++++++++++++++++++++++-------------
 1 file changed, 41 insertions(+), 15 deletions(-)

(limited to 'include/permissions.php')

diff --git a/include/permissions.php b/include/permissions.php
index a1e05d120..637193973 100644
--- a/include/permissions.php
+++ b/include/permissions.php
@@ -122,13 +122,21 @@ function get_all_perms($uid, $observer_xchan, $internal_use = true) {
 					dbesc($observer_xchan)
 				);
 				if(! $x) {
-					// not in address book, see if they've got an xchan
-					$y = q("select xchan_network from xchan where xchan_hash = '%s' limit 1",
-						dbesc($observer_xchan)
-					);
-					// no xchan either, see if they've got a guest access token
-					if(! $y)
-						$x = atoken_abook($uid,$observer_xchan);
+					// see if they've got a guest access token; these are treated as connections
+					$y = atoken_abook($uid,$observer_xchan);
+					if($y)
+						$x = array($y);
+
+					if(! $x) {
+						// not in address book and no guest token, see if they've got an xchan
+						// these *may* have individual (PERMS_SPECIFIC) permissions, but are not connections
+						$y = q("select xchan_network from xchan where xchan_hash = '%s' limit 1",
+							dbesc($observer_xchan)
+						);
+						if($y) {
+							$x = array(pseudo_abook($y[0]));
+						}
+					}
 				}
 
 				$abook_checked = true;
@@ -190,7 +198,7 @@ function get_all_perms($uid, $observer_xchan, $internal_use = true) {
 		// If we're still here, we have an observer, check the network.
 
 		if($channel_perm & PERMS_NETWORK) {
-			if(($x && $x[0]['xchan_network'] === 'zot') || ($y && $y[0]['xchan_network'] === 'zot')) {
+			if($x && $x[0]['xchan_network'] === 'zot') {
 				$ret[$perm_name] = true;
 				continue;
 			}
@@ -238,6 +246,12 @@ function get_all_perms($uid, $observer_xchan, $internal_use = true) {
 		// They're a contact, so they have permission
 
 		if($channel_perm & PERMS_CONTACTS) {
+			// it was a fake abook entry, not really a connection
+			if(array_key_exists('abook_pseudo',$x[0]) && intval($x[0]['abook_pseudo'])) {
+				$ret[$perm_name] = false;
+				continue;
+			}
+				
 			$ret[$perm_name] = true;
 			continue;
 		}
@@ -334,13 +348,21 @@ function perm_is_allowed($uid, $observer_xchan, $permission) {
 			return false;
 
 		if(! $x) {
-			// not in address book, see if they've got an xchan
-			$y = q("select xchan_network from xchan where xchan_hash = '%s' limit 1",
-				dbesc($observer_xchan)
-			);
-			// no xchan either, see if they've got a guest access token
-			if(! $y)
-				$x = atoken_abook($uid,$observer_xchan);
+			// see if they've got a guest access token
+			$y = atoken_abook($uid,$observer_xchan);
+			if($y)
+				$x = array($y);
+
+			if(! $x) {
+				// not in address book and no guest token, see if they've got an xchan
+				$y = q("select xchan_network from xchan where xchan_hash = '%s' limit 1",
+					dbesc($observer_xchan)
+				);
+				if($y) {
+					$x = array(pseudo_abook($y[0]));
+				}
+			}
+
 		}
 		$abperms = load_abconfig($uid,$observer_xchan,'my_perms');
 	}
@@ -410,6 +432,10 @@ function perm_is_allowed($uid, $observer_xchan, $permission) {
 	// They're a contact, so they have permission
 
 	if($channel_perm & PERMS_CONTACTS) {
+		// it was a fake abook entry, not really a connection
+		if(array_key_exists('abook_pseudo',$x[0]) && intval($x[0]['abook_pseudo'])) {
+			return false;
+		}
 		return true;
 	}
 
-- 
cgit v1.2.3