From 599b395e247c991756c7cf5db29608b2c817f476 Mon Sep 17 00:00:00 2001
From: git-marijus <mario@mariovavti.com>
Date: Tue, 1 Aug 2017 23:20:39 +0200
Subject: finally fix recursive attachments permissions

---
 include/attach.php | 133 +++++++++++++++++++++++++++++++----------------------
 1 file changed, 79 insertions(+), 54 deletions(-)

(limited to 'include')

diff --git a/include/attach.php b/include/attach.php
index d19de2ea3..79a38590b 100644
--- a/include/attach.php
+++ b/include/attach.php
@@ -1605,7 +1605,10 @@ function file_activity($channel_id, $object, $allow_cid, $allow_gid, $deny_cid,
 
 		$folder_hash = $object['folder'];
 
-		$r_perms = recursive_activity_recipients($arr_allow_cid, $arr_allow_gid, $arr_deny_cid, $arr_deny_gid, $folder_hash);
+		$r_perms = attach_recursive_perms($arr_allow_cid, $arr_allow_gid, $arr_deny_cid, $arr_deny_gid, $folder_hash);
+
+		if($r_perms === false) //nobody has recursive perms - nobody must be notified
+			return;
 
 		//split up returned perms
 		$arr_allow_cid = $r_perms['allow_cid'];
@@ -1768,7 +1771,7 @@ function get_file_activity_object($channel_id, $hash, $url) {
 }
 
 /**
- * @brief Returns array of channels which have recursive permission for a file
+ * @brief Returns recursive permissions array or false if nobody has recursive permissions
  *
  * @param array $arr_allow_cid
  * @param array $arr_allow_gid
@@ -1776,19 +1779,20 @@ function get_file_activity_object($channel_id, $hash, $url) {
  * @param array $arr_deny_gid
  * @param string $folder_hash
  */
-function recursive_activity_recipients($arr_allow_cid, $arr_allow_gid, $arr_deny_cid, $arr_deny_gid, $folder_hash) {
+function attach_recursive_perms($arr_allow_cid, $arr_allow_gid, $arr_deny_cid, $arr_deny_gid, $folder_hash) {
 
 	$ret = array();
 	$parent_arr = array();
 	$count_values = array();
 	$poster = App::get_observer();
 
-	//turn allow_gid into allow_cid's
-	foreach($arr_allow_gid as $gid) {
-		$in_group = group_get_members($gid);
+	//lookup all channels in sharee group and add them to sharee $arr_allow_cid
+	if($arr_allow_gid) {
+		$in_group = expand_groups($arr_allow_gid);
 		$arr_allow_cid = array_unique(array_merge($arr_allow_cid, $in_group));
 	}
 
+	//count existing parent folders - we will compare to that count later
 	$count = 0;
 	while($folder_hash) {
 		$x = q("SELECT allow_cid, allow_gid, deny_cid, deny_gid, folder FROM attach WHERE hash = '%s' LIMIT 1",
@@ -1797,30 +1801,20 @@ function recursive_activity_recipients($arr_allow_cid, $arr_allow_gid, $arr_deny
 
 		//only process private folders
 		if($x[0]['allow_cid'] || $x[0]['allow_gid'] || $x[0]['deny_cid'] || $x[0]['deny_gid']) {
-
 			$parent_arr['allow_cid'][] = expand_acl($x[0]['allow_cid']);
 			$parent_arr['allow_gid'][] = expand_acl($x[0]['allow_gid']);
-
-			/**
-			 * @TODO should find a much better solution for the allow_cid <-> allow_gid problem.
-			 * Do not use allow_gid for now. Instead lookup the members of the group directly and add them to allow_cid.
-			 * */
-			if($parent_arr['allow_gid']) {
-				foreach($parent_arr['allow_gid'][$count] as $gid) {
-					$in_group = group_get_members($gid);
-					$parent_arr['allow_cid'][$count] = array_unique(array_merge($parent_arr['allow_cid'][$count], $in_group));
-				}
-			}
-
 			$parent_arr['deny_cid'][] = expand_acl($x[0]['deny_cid']);
 			$parent_arr['deny_gid'][] = expand_acl($x[0]['deny_gid']);
 
+			//this is the number of all existing parent folders - we will compare to that count later
 			$count++;
 		}
 
 		$folder_hash = $x[0]['folder'];
 	}
 
+	//logger(EOL . 'parent_arr: ' . print_r($parent_arr,true));
+
 	//if none of the parent folders is private just return file perms
 	if(!$parent_arr['allow_cid'] && !$parent_arr['allow_gid'] && !$parent_arr['deny_cid'] && !$parent_arr['deny_gid']) {
 		$ret['allow_gid'] = $arr_allow_gid;
@@ -1831,7 +1825,7 @@ function recursive_activity_recipients($arr_allow_cid, $arr_allow_gid, $arr_deny
 		return $ret;
 	}
 
-	//if there are no perms on the file we get them from the first parent folder
+	//if there are no perms on the file we will work with the perms from the first parent folder
 	if(!$arr_allow_cid && !$arr_allow_gid && !$arr_deny_cid && !$arr_deny_gid) {
 		$arr_allow_cid = $parent_arr['allow_cid'][0];
 		$arr_allow_gid = $parent_arr['allow_gid'][0];
@@ -1839,52 +1833,83 @@ function recursive_activity_recipients($arr_allow_cid, $arr_allow_gid, $arr_deny
 		$arr_deny_gid = $parent_arr['deny_gid'][0];
 	}
 
-	//allow_cid
-	$r_arr_allow_cid = false;
-	foreach ($parent_arr['allow_cid'] as $folder_arr_allow_cid) {
-		foreach ($folder_arr_allow_cid as $ac_hash) {
-			$count_values[$ac_hash]++;
+
+	/***
+	*
+	* check if sharee has perms for all parent folders
+	*
+	***/
+
+	$r_arr_allow_cid = [];
+
+	if($parent_arr['allow_cid']) {
+		//check sharee arr_allow_cid against allow_cid of all parent folders
+		foreach($parent_arr['allow_cid'] as $folder_arr_allow_cid) {
+			foreach($folder_arr_allow_cid as $ac_hash) {
+				$count_values[$ac_hash]++;
+			}
 		}
-	}
-	foreach ($arr_allow_cid as $fac_hash) {
-		if($count_values[$fac_hash] == $count)
-			$r_arr_allow_cid[] = $fac_hash;
+		foreach($arr_allow_cid as $fac_hash) {
+			if($count_values[$fac_hash] == $count)
+				$r_arr_allow_cid[] = $fac_hash;
+		}
+		//logger(EOL . 'r_arr_allow_cid: ' . print_r($r_arr_allow_cid,true));
 	}
 
-	//allow_gid
-	$r_arr_allow_gid = false;
-	foreach ($parent_arr['allow_gid'] as $folder_arr_allow_gid) {
-		foreach ($folder_arr_allow_gid as $ag_hash) {
-			$count_values[$ag_hash]++;
+	if($parent_arr['allow_gid']) {
+		//check sharee arr_allow_cid against members of allow_gid of all parent folders
+		foreach($parent_arr['allow_gid'] as $folder_arr_allow_gid) {
+			//get the group members
+			$folder_arr_allow_cid = expand_groups($folder_arr_allow_gid);
+			foreach($folder_arr_allow_cid as $ac_hash) {
+				$count_values[$ac_hash]++;
+			}
 		}
-	}
-	foreach ($arr_allow_gid as $fag_hash) {
-		if($count_values[$fag_hash] == $count)
-			$r_arr_allow_gid[] = $fag_hash;
+		foreach($arr_allow_cid as $fac_hash) {
+			if($count_values[$fac_hash] == $count)
+				$r_arr_allow_cid[] = $fac_hash;
+		}
+		//logger(EOL . 'groups - r_arr_allow_cid: ' . print_r($r_arr_allow_cid,true));
 	}
 
-	//deny_gid
-	foreach($parent_arr['deny_gid'] as $folder_arr_deny_gid) {
-		$r_arr_deny_gid = array_merge($arr_deny_gid, $folder_arr_deny_gid);
-	}
-	$r_arr_deny_gid = array_unique($r_arr_deny_gid);
+
+	/***
+	*
+	* check if sharee is denied somewhere in parent folders and deny him if so
+	*
+	***/
 
 	//deny_cid
-	foreach($parent_arr['deny_cid'] as $folder_arr_deny_cid) {
-		$r_arr_deny_cid = array_merge($arr_deny_cid, $folder_arr_deny_cid);
+	$r_arr_deny_cid = [];
+
+	if($parent_arr['deny_cid']) {
+		foreach($parent_arr['deny_cid'] as $folder_arr_deny_cid) {
+			$r_arr_deny_cid = array_merge($arr_deny_cid, $folder_arr_deny_cid);
+		}
+		$r_arr_deny_cid = array_unique($r_arr_deny_cid);
+		//logger(EOL . 'r_arr_deny_cid: ' . print_r($r_arr_deny_cid,true));
 	}
-	$r_arr_deny_cid = array_unique($r_arr_deny_cid);
 
-	//if none is allowed restrict to self
-	if(($r_arr_allow_gid === false) && ($r_arr_allow_cid === false)) {
-		$ret['allow_cid'] = [$poster['xchan_hash']];
-	} else {
-		$ret['allow_gid'] = $r_arr_allow_gid;
-		$ret['allow_cid'] = $r_arr_allow_cid;
-		$ret['deny_gid'] = $r_arr_deny_gid;
-		$ret['deny_cid'] = $r_arr_deny_cid;
+	//deny_gid
+	$r_arr_deny_gid = [];
+
+	if($parent_arr['deny_cid']) {
+		foreach($parent_arr['deny_gid'] as $folder_arr_deny_gid) {
+			$r_arr_deny_gid = array_merge($arr_deny_gid, $folder_arr_deny_gid);
+		}
+		$r_arr_deny_gid = array_unique($r_arr_deny_gid);
+		//logger(EOL . 'r_arr_deny_gid: ' . print_r($r_arr_dr_arr_deny_gideny_cid,true));
 	}
 
+	//if no channel is allowed return false
+	if(! $r_arr_allow_cid)
+		return false;
+
+	$ret['allow_gid'] = []; // eventual group members are already collected in $r_arr_allow_cid
+	$ret['allow_cid'] = $r_arr_allow_cid;
+	$ret['deny_gid'] = $r_arr_deny_gid;
+	$ret['deny_cid'] = $r_arr_deny_cid;
+
 	return $ret;
 }
 
-- 
cgit v1.2.3