From b20887995a2b3277659e01d99ae4de238f7175ef Mon Sep 17 00:00:00 2001 From: Alexandre Hannud Abdo Date: Tue, 17 Jun 2014 04:26:18 -0300 Subject: Implements a new permission level PERMS_PENDING With this a user can allow some action to any user which connects to them, even before they've connected back. Ref. https://mobiliza.org.br/display/478d9e71eaf55748dc646d3990651d6d34cfb7db5c38360538ec730ca3ccf908@zothub.com Also some code cleanup and an alternative logic for handling notifications of permission changes in zot.php. This assumes that private posts are still restricted to people in your addressbook. Regardless of your global permissions, a pending channel won't get private posts, even if the post only has a deny clause not matching the pending channel. --- include/security.php | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) (limited to 'include/security.php') diff --git a/include/security.php b/include/security.php index 285c4a231..aaf4eb050 100644 --- a/include/security.php +++ b/include/security.php @@ -311,7 +311,7 @@ function check_form_security_token_redirectOnErr($err_redirect, $typename = '', } function check_form_security_token_ForbiddenOnErr($typename = '', $formname = 'form_security_token') { if (!check_form_security_token($typename, $formname)) { - $a = get_app(); + $a = get_app(); logger('check_form_security_token failed: user ' . $a->user['guid'] . ' - form element ' . $typename); logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA); header('HTTP/1.1 403 Forbidden'); @@ -342,19 +342,22 @@ function init_groups_visitor($contact_id) { // This is used to determine which uid have posts which are visible to the logged in user (from the API) for the -// public_timeline, and we can use this in a community page by making $perms_min = PERMS_NETWORK unless logged in. +// public_timeline, and we can use this in a community page by making +// $perms = (PERMS_NETWORK|PERMS_PUBLIC) unless logged in. // Collect uids of everybody on this site who has opened their posts to everybody on this site (or greater visibility) // We always include yourself if logged in because you can always see your own posts // resolving granular permissions for the observer against every person and every post on the site // will likely be too expensive. // Returns a string list of comma separated channel_ids suitable for direct inclusion in a SQL query -function stream_perms_api_uids($perms_min = PERMS_SITE) { +function stream_perms_api_uids($perms = NULL ) { + $perms = is_null($perms) ? (PERMS_SITE|PERMS_NETWORK|PERMS_PUBLIC) : $perms; + $ret = array(); if(local_user()) $ret[] = local_user(); - $r = q("select channel_id from channel where channel_r_stream > 0 and channel_r_stream <= %d and not (channel_pageflags & %d)", - intval($perms_min), + $r = q("select channel_id from channel where channel_r_stream > 0 and (channel_r_stream & %d) and not (channel_pageflags & %d)", + intval($perms), intval(PAGE_CENSORED|PAGE_SYSTEM|PAGE_REMOVED) ); if($r) @@ -373,13 +376,15 @@ function stream_perms_api_uids($perms_min = PERMS_SITE) { return $str; } -function stream_perms_xchans($perms_min = PERMS_SITE) { +function stream_perms_xchans($perms = NULL ) { + $perms = is_null($perms) ? (PERMS_SITE|PERMS_NETWORK|PERMS_PUBLIC) : $perms; + $ret = array(); if(local_user()) $ret[] = get_observer_hash(); - $r = q("select channel_hash from channel where channel_r_stream > 0 and channel_r_stream <= %d and not (channel_pageflags & %d)", - intval($perms_min), + $r = q("select channel_hash from channel where channel_r_stream > 0 and (channel_r_stream & %d) and not (channel_pageflags & %d)", + intval($perms), intval(PAGE_CENSORED|PAGE_SYETEM|PAGE_REMOVED) ); if($r) -- cgit v1.2.3