From 9fe4bae52f0c7a84f9bfe51d960ec4e3774dfa7c Mon Sep 17 00:00:00 2001 From: redmatrix Date: Fri, 19 Aug 2016 17:12:48 -0700 Subject: block backdoor delivery of bulk imported items --- include/items.php | 35 +++++++++++++++++++++++++++++++---- 1 file changed, 31 insertions(+), 4 deletions(-) (limited to 'include') diff --git a/include/items.php b/include/items.php index 91110eb07..ac746c189 100755 --- a/include/items.php +++ b/include/items.php @@ -1627,8 +1627,21 @@ function item_store($arr, $allow_exec = false, $deliver = true) { $arr['commented'] = ((x($arr,'commented') !== false) ? datetime_convert('UTC','UTC',$arr['commented']) : datetime_convert()); $arr['comments_closed'] = ((x($arr,'comments_closed') !== false) ? datetime_convert('UTC','UTC',$arr['comments_closed']) : NULL_DATE); - $arr['received'] = datetime_convert(); - $arr['changed'] = datetime_convert(); + if($deliver) { + $arr['received'] = datetime_convert(); + $arr['changed'] = datetime_convert(); + } + else { + + // When deliver flag is false, we are *probably* performing an import or bulk migration. + // If one updates the changed timestamp it will be made available to zotfeed and delivery + // will still take place through backdoor methods. Since these fields are rarely used + // otherwise, just preserve the original timestamp. + + $arr['received'] = ((x($arr,'received') !== false) ? datetime_convert('UTC','UTC',$arr['received']) : datetime_convert()); + $arr['changed'] = ((x($arr,'changed') !== false) ? datetime_convert('UTC','UTC',$arr['changed']) : datetime_convert()); + } + $arr['location'] = ((x($arr,'location')) ? notags(trim($arr['location'])) : ''); $arr['coord'] = ((x($arr,'coord')) ? notags(trim($arr['coord'])) : ''); $arr['parent_mid'] = ((x($arr,'parent_mid')) ? notags(trim($arr['parent_mid'])) : ''); @@ -2035,8 +2048,22 @@ function item_store_update($arr,$allow_exec = false, $deliver = true) { $arr['comments_closed'] = $orig[0]['comments_closed']; $arr['commented'] = $orig[0]['commented']; - $arr['received'] = datetime_convert(); - $arr['changed'] = datetime_convert(); + + if($deliver) { + $arr['received'] = datetime_convert(); + $arr['changed'] = datetime_convert(); + } + else { + + // When deliver flag is false, we are *probably* performing an import or bulk migration. + // If one updates the changed timestamp it will be made available to zotfeed and delivery + // will still take place through backdoor methods. Since these fields are rarely used + // otherwise, just preserve the original timestamp. + + $arr['received'] = $orig[0]['received']; + $arr['changed'] = $orig[0]['changed']; + } + $arr['route'] = ((array_key_exists('route',$arr)) ? trim($arr['route']) : $orig[0]['route']); $arr['diaspora_meta'] = ((x($arr,'diaspora_meta')) ? $arr['diaspora_meta'] : $orig[0]['diaspora_meta']); $arr['location'] = ((x($arr,'location')) ? notags(trim($arr['location'])) : $orig[0]['location']); -- cgit v1.2.3 From 4f62d7a78f63e4bae136f52d70d0af906d997b78 Mon Sep 17 00:00:00 2001 From: Mario Vavti Date: Sun, 21 Aug 2016 15:43:03 +0200 Subject: move jotnets to jot and some cleanup (mostly whitespace) --- include/acl_selectors.php | 7 ------- include/conversation.php | 10 ++++++++-- 2 files changed, 8 insertions(+), 9 deletions(-) (limited to 'include') diff --git a/include/acl_selectors.php b/include/acl_selectors.php index 9bee942e2..362776b44 100644 --- a/include/acl_selectors.php +++ b/include/acl_selectors.php @@ -148,11 +148,6 @@ function populate_acl($defaults = null,$show_jotnets = true, $emptyACL_descripti array_walk($deny_cid,'fixacl'); array_walk($deny_gid,'fixacl'); } - - $jotnets = ''; - if($show_jotnets) { - call_hooks('jot_networks', $jotnets); - } $r = q("SELECT id, hash, gname FROM groups WHERE deleted = 0 AND uid = %d ORDER BY gname ASC", intval(local_channel()) @@ -181,8 +176,6 @@ function populate_acl($defaults = null,$show_jotnets = true, $emptyACL_descripti '$allowgid' => json_encode($allow_gid), '$denycid' => json_encode($deny_cid), '$denygid' => json_encode($deny_gid), - '$jnetModalTitle' => t('Other networks and post services'), - '$jotnets' => $jotnets, '$aclModalTitle' => t('Permissions'), '$aclModalDesc' => $dialog_description, '$aclModalDismiss' => t('Close'), diff --git a/include/conversation.php b/include/conversation.php index 7d1473fe2..637234bff 100644 --- a/include/conversation.php +++ b/include/conversation.php @@ -1200,8 +1200,6 @@ function status_editor($a, $x, $popup = false) { $tpl = get_markup_template('jot.tpl'); - $jotplugins = ''; - $preview = t('Preview'); if(x($x, 'hide_preview')) $preview = ''; @@ -1218,8 +1216,14 @@ function status_editor($a, $x, $popup = false) { if(! $cipher) $cipher = 'aes256'; + $jotplugins = ''; call_hooks('jot_tool', $jotplugins); + $jotnets = ''; + if(x($x,'jotnets')) { + call_hooks('jot_networks', $jotnets); + } + $o .= replace_macros($tpl, array( '$return_path' => ((x($x, 'return_path')) ? $x['return_path'] : App::$query_string), '$action' => z_root() . '/item', @@ -1276,6 +1280,8 @@ function status_editor($a, $x, $popup = false) { '$preview' => $preview, '$source' => ((x($x, 'source')) ? $x['source'] : ''), '$jotplugins' => $jotplugins, + '$jotnets' => $jotnets, + '$jotnets_label' => t('Other networks and post services'), '$defexpire' => $defexpire, '$feature_expire' => $feature_expire, '$expires' => t('Set expiration date'), -- cgit v1.2.3 From 7045b920efb6f5f9cd4a7eb2b7abaabe14b99634 Mon Sep 17 00:00:00 2001 From: redmatrix Date: Sun, 21 Aug 2016 17:38:36 -0700 Subject: make zid() do the right things when confronted with url fragments --- include/channel.php | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'include') diff --git a/include/channel.php b/include/channel.php index 1179697a4..47db7e806 100644 --- a/include/channel.php +++ b/include/channel.php @@ -1381,6 +1381,11 @@ function zid($s,$address = '') { if (! strlen($s) || strpos($s,'zid=')) return $s; + $m = parse_url($s); + $fragment = ((array_key_exists('fragment',$m) && $m['fragment']) ? $m['fragment'] : false); + if($fragment !== false) + $s = str_replace('#' . $fragment,'',$s); + $has_params = ((strpos($s,'?')) ? true : false); $num_slashes = substr_count($s, '/'); if (! $has_params) @@ -1401,6 +1406,11 @@ function zid($s,$address = '') { else $zurl = $s; + // put fragment at the end + + if($fragment) + $zurl .= '#' . $fragment; + $arr = array('url' => $s, 'zid' => urlencode($myaddr), 'result' => $zurl); call_hooks('zid', $arr); -- cgit v1.2.3 From e967bc9c455c27f08a2add12d566e81036819e4e Mon Sep 17 00:00:00 2001 From: redmatrix Date: Mon, 22 Aug 2016 17:04:13 -0700 Subject: public forum fallback checking (when custom/expert permissions are applied) was looking at owner rather than observer perms --- include/zot.php | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'include') diff --git a/include/zot.php b/include/zot.php index 01b29f74b..c3c924113 100644 --- a/include/zot.php +++ b/include/zot.php @@ -3708,6 +3708,8 @@ function zotinfo($arr) { } } + $ztarget_hash = (($ztarget && $zsig) ? make_xchan_hash($ztarget,$zsig) : '' ); + $r = null; if(strlen($zhash)) { @@ -3783,11 +3785,11 @@ function zotinfo($arr) { if($role === 'forum' || $role === 'repository') { $public_forum = true; } - else { + elseif($ztarget_hash) { // check if it has characteristics of a public forum based on custom permissions. $t = q("select * from abconfig where abconfig.cat = 'my_perms' and abconfig.chan = %d and abconfig.xchan = '%s' and abconfig.k in ('tag_deliver', 'send_stream') ", intval($e['channel_id']), - dbesc($e['channel_hash']) + dbesc($ztarget_hash) ); $ch = 0; @@ -3889,9 +3891,6 @@ function zotinfo($arr) { $ret['follow_url'] = z_root() . '/follow?f=&url=%s'; - $ztarget_hash = (($ztarget && $zsig) - ? make_xchan_hash($ztarget,$zsig) - : '' ); $permissions = get_all_perms($e['channel_id'],$ztarget_hash,false); -- cgit v1.2.3 From 38ca3bac405b339367b513037428f796c433819a Mon Sep 17 00:00:00 2001 From: redmatrix Date: Mon, 22 Aug 2016 17:41:41 -0700 Subject: optional server role compatibility checks for plugins --- include/plugin.php | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'include') diff --git a/include/plugin.php b/include/plugin.php index cb206d944..663d17959 100755 --- a/include/plugin.php +++ b/include/plugin.php @@ -404,6 +404,18 @@ function check_plugin_versions($info) { return false; } } + if(array_key_exists('serverroles',$info)) { + $role = \Zotlabs\Lib\System::get_server_role(); + if(! ( + stristr($info['serverroles'],'*') + || stristr($info['serverroles'],'any') + || stristr($info['serverroles'],$role))) { + logger('serverrole limit: ' . $info['name'],LOGGER_NORMAL,LOG_WARNING); + return false; + + } + } + if(array_key_exists('requires',$info)) { $arr = explode(',',$info['requires']); -- cgit v1.2.3