From f965209eee06b3affbd3165e6c165e02f76bcabd Mon Sep 17 00:00:00 2001
From: redmatrix <redmatrix@redmatrix.me>
Date: Mon, 28 Sep 2015 19:45:57 -0700
Subject: check public scopes against visitor in item_permissions_sql()

---
 include/security.php | 40 ++++++++++++++++++++++++++++++++++++++--
 1 file changed, 38 insertions(+), 2 deletions(-)

(limited to 'include/security.php')

diff --git a/include/security.php b/include/security.php
index 380505a79..03e03ad40 100644
--- a/include/security.php
+++ b/include/security.php
@@ -245,6 +245,9 @@ function item_permissions_sql($owner_id, $remote_observer = null) {
 		$observer = (($remote_observer) ? $remote_observer : get_observer_hash());
 
 		if($observer) {
+
+			$s = scopes_sql($owner_id,$observer);
+
 			$groups = init_groups_visitor($observer);
 
 			$gs = '<<>>'; // should be impossible to match
@@ -256,8 +259,8 @@ function item_permissions_sql($owner_id, $remote_observer = null) {
 			$regexop = db_getfunc('REGEXP');
 			$sql = sprintf(
 				" AND ( NOT (deny_cid like '%s' OR deny_gid $regexop '%s')
-				  AND ( allow_cid like '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '' AND item_private = 0 ) )
-				  )
+				  AND ( allow_cid like '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '' AND item_private = 0 ))
+				  ) OR ( item_private = 1 $s )
 				",
 				dbesc(protect_sprintf( '%<' . $observer . '>%')),
 				dbesc($gs),
@@ -270,6 +273,39 @@ function item_permissions_sql($owner_id, $remote_observer = null) {
 	return $sql;
 }
 
+/**
+ * Remote visitors also need to be checked against the public_scope parameter if item_private is set.
+ * This function checks the various permutations of that field for any which apply to this observer.
+ * 
+ */
+
+
+
+function scopes_sql($uid,$observer) {
+	$str = " and ( public_policy = 'authenticated' ";
+	if(! is_foreigner($observer))
+		$str .= " or public_policy = 'network: red' ";
+	if(local_channel())
+		$str .= " or public_policy = 'site: " . get_app()->get_hostname() . "' ";
+
+	$ab = q("select * from abook where abook_xchan = '%s' and abook_channel = %d limit 1",
+		dbesc($observer),
+		intval($uid)
+	);
+	if(! $ab)
+		return $str . " ) ";
+	if($ab[0]['abook_pending'])
+		$str .= " or public_policy = 'any connections' ";
+	$str .= " or public_policy = 'contacts' ) ";
+	return $str;
+}
+ 
+	
+	
+
+
+
+
 /**
  * @param string $observer_hash
  *
-- 
cgit v1.2.3