From 41c411739fcb92edfca673106800741eef413c86 Mon Sep 17 00:00:00 2001 From: friendica Date: Tue, 30 Jul 2013 19:43:46 -0700 Subject: attachment permissions not right --- include/security.php | 82 ++++++++++++++++++++++++++++------------------------ 1 file changed, 44 insertions(+), 38 deletions(-) (limited to 'include/security.php') diff --git a/include/security.php b/include/security.php index 29a0fc0bc..ef4d5a313 100644 --- a/include/security.php +++ b/include/security.php @@ -205,26 +205,29 @@ function permissions_sql($owner_id,$remote_verified = false,$groups = null) { else { - $observer = get_app()->get_observer(); - $groups = init_groups_visitor($remote_user); - - $gs = '<<>>'; // should be impossible to match - - if(is_array($groups) && count($groups)) { - foreach($groups as $g) - $gs .= '|<' . $g . '>'; - } - $sql = sprintf( - " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s') - AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) - ) - ", - dbesc(protect_sprintf( '%<' . $remote_user . '>%')), - dbesc($gs), - dbesc(protect_sprintf( '%<' . $remote_user . '>%')), - dbesc($gs) - ); + $observer = get_observer_hash(); + if($observer) { + $groups = init_groups_visitor($observer); + + $gs = '<<>>'; // should be impossible to match + + if(is_array($groups) && count($groups)) { + foreach($groups as $g) + $gs .= '|<' . $g . '>'; + } + $sql = sprintf( + " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s') + AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) + ) + ", + dbesc(protect_sprintf( '%<' . $observer . '>%')), + dbesc($gs), + dbesc(protect_sprintf( '%<' . $observer . '>%')), + dbesc($gs) + ); + } } + return $sql; } @@ -260,25 +263,28 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null) else { - $observer = get_app()->get_observer(); - $groups = init_groups_visitor($remote_user); - - $gs = '<<>>'; // should be impossible to match - - if(is_array($groups) && count($groups)) { - foreach($groups as $g) - $gs .= '|<' . $g . '>'; - } - $sql = sprintf( - " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s') - AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) - ) - ", - dbesc(protect_sprintf( '%<' . $remote_user . '>%')), - dbesc($gs), - dbesc(protect_sprintf( '%<' . $remote_user . '>%')), - dbesc($gs) - ); + $observer = get_observer_hash(); + + if($observer) { + $groups = init_groups_visitor($observer); + + $gs = '<<>>'; // should be impossible to match + + if(is_array($groups) && count($groups)) { + foreach($groups as $g) + $gs .= '|<' . $g . '>'; + } + $sql = sprintf( + " AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s') + AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) + ) + ", + dbesc(protect_sprintf( '%<' . $observer . '>%')), + dbesc($gs), + dbesc(protect_sprintf( '%<' . $observer . '>%')), + dbesc($gs) + ); + } } return $sql; } -- cgit v1.2.3