From dc8a46477b245dc89c3de69ddc61e83a2b8bd22a Mon Sep 17 00:00:00 2001 From: friendica Date: Mon, 1 Oct 2012 19:04:21 -0700 Subject: use hash for channel id --- include/identity.php | 27 +++++++++++++++++++++++---- include/security.php | 21 +++++++++++++++++++++ 2 files changed, 44 insertions(+), 4 deletions(-) (limited to 'include') diff --git a/include/identity.php b/include/identity.php index 41d83b66d..1c552a21a 100644 --- a/include/identity.php +++ b/include/identity.php @@ -82,14 +82,18 @@ function create_identity($arr) { $ret['channel'] = $r[0]; set_default_login_identity($arr['account_id'],$ret['channel']['channel_id'],false); - + + $sig = base64url_encode(rsa_sign($ret['channel']['channel_global_id'],$ret['channel']['channel_prvkey'])); + $hash = base64url_encode(hash('whirlpool',$ret['channel']['channel_global_id'] . $sig,true)); + // Create a verified hub location pointing to this site. - $r = q("insert into hubloc ( hubloc_guid, hubloc_guid_sig, hubloc_flags, + $r = q("insert into hubloc ( hubloc_guid, hubloc_guid_sig, hubloc_hash, hubloc_flags, hubloc_url, hubloc_url_sig, hubloc_callback, hubloc_sitekey ) - values ( '%s', '%s', %d, '%s', '%s', '%s', '%s' )", + values ( '%s', '%s', '%s', %d, '%s', '%s', '%s', '%s' )", dbesc($ret['channel']['channel_global_id']), - dbesc(base64url_encode(rsa_sign($ret['channel']['channel_global_id'],$ret['channel']['channel_prvkey']))), + dbesc($sig), + dbesc($hash), intval(($primary) ? HUBLOC_FLAGS_PRIMARY : 0), dbesc(z_root()), dbesc(base64url_encode(rsa_sign(z_root(),$ret['channel']['channel_prvkey']))), @@ -99,8 +103,23 @@ function create_identity($arr) { if(! $r) logger('create_identity: Unable to store hub location'); + $newuid = $ret['channel']['channel_id']; + $r = q("insert into xchan ( xchan_hash, xchan_guid, xchan_guid_sig, xchan_photo, xchan_addr, xchan_profile, xchan_name ) values ('%s', '%s', '%s', '%s', '%s', '%s', '%s')", + dbesc($hash), + dbesc($ret['channel']['channel_global_id']), + dbesc($sig), + dbesc($a->get_baseurl() . "/photo/profile/{$newuid}"), + dbesc($ret['channel']['channel_address'] . '@' . $a->get_hostname()), + dbesc(z_root() . '/profile/' . $ret['channel']['channel_address']), + dbesc($ret['channel']['channel_name']) + ); + + // Not checking return value. + // It's ok for this to fail if it's an imported channel, and therefore the hash is a duplicate + + $r = q("INSERT INTO `profile` ( `aid`, `uid`, `profile_name`, `is_default`, `name`, `photo`, `thumb`) VALUES ( %d, %d, '%s', %d, '%s', '%s', '%s') ", intval($ret['channel']['channel_account_id']), diff --git a/include/security.php b/include/security.php index e221ad59b..a85787588 100644 --- a/include/security.php +++ b/include/security.php @@ -220,6 +220,27 @@ function can_write_wall(&$a,$owner) { } +function change_channel($change_channel) { + + $r = false; + + if($change_channel) { + $r = q("select * from channel where channel_id = %d and channel_account_id = %d limit 1", + intval($change_channel), + intval(get_account_id()) + ); + if($r && count($r)) { + $_SESSION['uid'] = intval($r[0]['channel_id']); + get_app()->set_channel($r[0]); + $_SESSION['theme'] = $r[0]['channel_theme']; + date_default_timezone_set($r[0]['channel_timezone']); + } + } + + return $r; + +} + function permissions_sql($owner_id,$remote_verified = false,$groups = null) { $local_user = local_user(); -- cgit v1.2.3