From 5d008a6923b631acf3bad7d82be680cc668475b6 Mon Sep 17 00:00:00 2001 From: friendica Date: Sun, 16 Dec 2012 03:38:04 -0800 Subject: fixing permissions_sql - may need more tweaks --- include/security.php | 131 ++++++++++++++++++--------------------------------- 1 file changed, 46 insertions(+), 85 deletions(-) (limited to 'include/security.php') diff --git a/include/security.php b/include/security.php index c47ab1524..ddfb8201d 100644 --- a/include/security.php +++ b/include/security.php @@ -182,7 +182,8 @@ function permissions_sql($owner_id,$remote_verified = false,$groups = null) { $sql = " AND allow_cid = '' AND allow_gid = '' AND deny_cid = '' - AND deny_gid = '' + AND deny_gid = '' + "; /** @@ -201,54 +202,31 @@ function permissions_sql($owner_id,$remote_verified = false,$groups = null) { * done this and passed the groups into this function. */ - elseif($remote_user) { - if(! $remote_verified) { - $r = q("SELECT id FROM contact WHERE id = %d AND uid = %d AND blocked = 0 LIMIT 1", - intval($remote_user), - intval($owner_id) - ); - if(count($r)) { - $remote_verified = true; - $groups = init_groups_visitor($remote_user); - } - } - if($remote_verified) { - - $gs = '<<>>'; // should be impossible to match - - if(is_array($groups) && count($groups)) { - foreach($groups as $g) - $gs .= '|<' . intval($g) . '>'; - } - - /*$sql = sprintf( - " AND ( allow_cid = '' OR allow_cid REGEXP '<%d>' ) - AND ( deny_cid = '' OR NOT deny_cid REGEXP '<%d>' ) - AND ( allow_gid = '' OR allow_gid REGEXP '%s' ) - AND ( deny_gid = '' OR NOT deny_gid REGEXP '%s') - ", - intval($remote_user), - intval($remote_user), - dbesc($gs), - dbesc($gs) - );*/ - $sql = sprintf( - " AND ( NOT (deny_cid REGEXP '<%d>' OR deny_gid REGEXP '%s') - AND ( allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) - ) - ", - intval($remote_user), - dbesc($gs), - intval($remote_user), - dbesc($gs) - ); - } + else { + $observer = get_app()->get_observer(); + $groups = init_groups_visitor($remote_user); + + $gs = '<<>>'; // should be impossible to match + + if(is_array($groups) && count($groups)) { + foreach($groups as $g) + $gs .= '|<' . $g . '>'; + } + $sql = sprintf( + " AND ( NOT (deny_cid like '<%s>' OR deny_gid REGEXP '%s') + AND ( allow_cid like '<%s>' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) + ) + ", + dbesc(protect_sprintf( '%' . $remote_user . '%')), + dbesc($gs), + dbesc(protect_sprintf( '%' . $remote_user . '%')), + dbesc($gs) + ); } return $sql; } - function item_permissions_sql($owner_id,$remote_verified = false,$groups = null) { $local_user = local_user(); @@ -260,12 +238,8 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null) * default permissions - anonymous user */ - $sql = " AND allow_cid = '' - AND allow_gid = '' - AND deny_cid = '' - AND deny_gid = '' - AND private = 0 - "; + $sql = " AND not (item_flags & " . ITEM_PRIVATE . ") "; + /** * Profile owner - everything is visible @@ -283,45 +257,33 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null) * done this and passed the groups into this function. */ - elseif($remote_user) { - if(! $remote_verified) { - $r = q("SELECT id FROM contact WHERE id = %d AND uid = %d AND blocked = 0 LIMIT 1", - intval($remote_user), - intval($owner_id) - ); - if(count($r)) { - $remote_verified = true; - $groups = init_groups_visitor($remote_user); - } - } - if($remote_verified) { - - $gs = '<<>>'; // should be impossible to match - - if(is_array($groups) && count($groups)) { - foreach($groups as $g) - $gs .= '|<' . intval($g) . '>'; - } - - $sql = sprintf( - " AND ( private = 0 OR ( private = 1 AND wall = 1 AND ( allow_cid = '' OR allow_cid REGEXP '<%d>' ) - AND ( deny_cid = '' OR NOT deny_cid REGEXP '<%d>' ) - AND ( allow_gid = '' OR allow_gid REGEXP '%s' ) - AND ( deny_gid = '' OR NOT deny_gid REGEXP '%s'))) - ", - intval($remote_user), - intval($remote_user), - dbesc($gs), - dbesc($gs) - ); - } + else { + $observer = get_app()->get_observer(); + $groups = init_groups_visitor($remote_user); + + $gs = '<<>>'; // should be impossible to match + + if(is_array($groups) && count($groups)) { + foreach($groups as $g) + $gs .= '|<' . $g . '>'; + } + $sql = sprintf( + " AND ( NOT (deny_cid like '<%s>' OR deny_gid REGEXP '%s') + AND ( allow_cid like '<%s>' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) + ) + ", + dbesc(protect_sprintf( '%' . $remote_user . '%')), + dbesc($gs), + dbesc(protect_sprintf( '%' . $remote_user . '%')), + dbesc($gs) + ); } - return $sql; } + /* * Functions used to protect against Cross-Site Request Forgery * The security token has to base on at least one value that an attacker can't know - here it's the session ID and the private key. @@ -388,8 +350,7 @@ function check_form_security_token_ForbiddenOnErr($typename = '', $formname = 'f if(! function_exists('init_groups_visitor')) { function init_groups_visitor($contact_id) { $groups = array(); - $r = q("SELECT `gid` FROM `group_member` - WHERE `contact-id` = %d ", + $r = q("SELECT gid FROM group_member WHERE xchan = '%s' ", intval($contact_id) ); if(count($r)) { -- cgit v1.2.3