From b41218ca303b9fd8258fd613915d3c4b9fd411c0 Mon Sep 17 00:00:00 2001
From: Mike Macgirvin <mike@macgirvin.com>
Date: Sun, 24 Oct 2010 20:39:24 -0700
Subject: workflow for federated/non-dfrn followers

---
 mod/dfrn_confirm.php | 378 +++++++++++++++++++++++++++++----------------------
 1 file changed, 214 insertions(+), 164 deletions(-)

(limited to 'mod/dfrn_confirm.php')

diff --git a/mod/dfrn_confirm.php b/mod/dfrn_confirm.php
index b4ca74889..cc1edea22 100644
--- a/mod/dfrn_confirm.php
+++ b/mod/dfrn_confirm.php
@@ -7,7 +7,7 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
 	if(is_array($handsfree)) {
 
 		// called directly from dfrn_request due to automatic friend acceptance
-		// any $_POST parameters we might need are supplied in the $handsfree array
+		// any $_POST parameters we may require are supplied in the $handsfree array
 
 		$node = $handsfree['node'];
 		$a->interactive = false; // notice() becomes a no-op since nobody is there to see it
@@ -19,12 +19,12 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
 	}
 
 		// Main entry point. Our user received a friend request notification (perhaps 
-		// from another site) and clicked 'Accept'. $POST['source_url'] is not set.
+		// from another site) and clicked 'Approve'. $POST['source_url'] is not set.
 		// OR we have been called directly from dfrn_request ($handsfree != null) due to 
 		// this being a page type which supports automatic friend acceptance.
 
 	if(! x($_POST,'source_url')) {
-		
+
 		$uid = ((is_array($handsfree)) ? $handsfree['uid'] : local_user());
 
 		if(! $uid) {
@@ -42,7 +42,7 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
 		}	
 
 
-		// These come from the friend request notification form or $handsfree reply.
+		// These come from either the friend request notification form or $handsfree array.
 
 		if(is_array($handsfree)) {
 			$dfrn_id = $handsfree['dfrn_id'];
@@ -53,13 +53,16 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
 			$dfrn_id  = ((x($_POST,'dfrn_id')) ? notags(trim($_POST['dfrn_id'])) : "");
 			$intro_id = intval($_POST['intro_id']);
 			$duplex   = intval($_POST['duplex']);
+			$cid      = intval($_POST['contact_id']);
 		}
 
 		// The other person will have been issued an ID when they first requested friendship.
 		// Locate their record. At this time, their record will have both pending and blocked set to 1. 
+		// There won't be any dfrn_id if this is a network follower, so use the contact_id instead.
 
-		$r = q("SELECT * FROM `contact` WHERE `issued-id` = '%s' AND `uid` = %d LIMIT 1",
+		$r = q("SELECT * FROM `contact` WHERE ( ( `issued-id` != '' AND `issued-id` = '%s' ) OR ( `id` = %d AND `id` != 0 ) ) AND `uid` = %d LIMIT 1",
 				dbesc($dfrn_id),
+				intval($cid),
 				intval($uid)
 		);
 
@@ -68,153 +71,158 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
 			return;
 		}
 
-		$contact_id   = $r[0]['id'];
-		$relation     = $r[0]['rel'];
-		$site_pubkey  = $r[0]['site-pubkey'];
-		$dfrn_confirm = $r[0]['confirm'];
-		$aes_allow    = $r[0]['aes_allow'];
+		$contact = $r[0];
 
+		$contact_id   = $contact['id'];
+		$relation     = $contact['rel'];
+		$site_pubkey  = $contact['site-pubkey'];
+		$dfrn_confirm = $contact['confirm'];
+		$aes_allow    = $contact['aes_allow'];
 
-		// Generate a key pair for all further communications with this person.
-		// We have a keypair for every contact, and a site key for unknown people.
-		// This provides a means to carry on relationships with other people if 
-		// any single key is compromised. It is a robust key. We're much more 
-		// worried about key leakage than anybody cracking it.  
 
-		$res = openssl_pkey_new(array(
-        		'digest_alg' => 'whirlpool',
-        		'private_key_bits' => 4096,
-			'encrypt_key' => false )
-		);
+		if($contact['network'] === 'dfrn') {
 
+			// Generate a key pair for all further communications with this person.
+			// We have a keypair for every contact, and a site key for unknown people.
+			// This provides a means to carry on relationships with other people if 
+			// any single key is compromised. It is a robust key. We're much more 
+			// worried about key leakage than anybody cracking it.  
 
-		$private_key = '';
+			$res = openssl_pkey_new(array(
+				'digest_alg' => 'whirlpool',
+				'private_key_bits' => 4096,
+				'encrypt_key' => false )
+			);
 
-		openssl_pkey_export($res, $private_key);
 
-		$pubkey = openssl_pkey_get_details($res);
-		$public_key = $pubkey["key"];
+			$private_key = '';
 
-		// Save the private key. Send them the public key.
+			openssl_pkey_export($res, $private_key);
 
-		$r = q("UPDATE `contact` SET `prvkey` = '%s' WHERE `id` = %d AND `uid` = %d LIMIT 1",
-			dbesc($private_key),
-			intval($contact_id),
-			intval($uid) 
-		);
+			$pubkey = openssl_pkey_get_details($res);
+			$public_key = $pubkey["key"];
 
-		$params = array();
+			// Save the private key. Send them the public key.
 
-		// Per the protocol document, we will verify both ends by encrypting the dfrn_id with our 
-		// site private key (person on the other end can decrypt it with our site public key).
-		// Then encrypt our profile URL with the other person's site public key. They can decrypt
-		// it with their site private key. If the decryption on the other end fails for either
-		// item, it indicates tampering or key failure on at least one site and we will not be 
-		// able to provide a secure communication pathway.
+			$r = q("UPDATE `contact` SET `prvkey` = '%s' WHERE `id` = %d AND `uid` = %d LIMIT 1",
+				dbesc($private_key),
+				intval($contact_id),
+				intval($uid) 
+			);
 
-		// If other site is willing to accept full encryption, (aes_allow is 1 AND we have php5.3 
-		// or later) then we encrypt the personal public key we send them using AES-256-CBC and a 
-		// random key which is encrypted with their site public key.  
+			$params = array();
 
-		$src_aes_key = random_string();
+			// Per the protocol document, we will verify both ends by encrypting the dfrn_id with our 
+			// site private key (person on the other end can decrypt it with our site public key).
+			// Then encrypt our profile URL with the other person's site public key. They can decrypt
+			// it with their site private key. If the decryption on the other end fails for either
+			// item, it indicates tampering or key failure on at least one site and we will not be 
+			// able to provide a secure communication pathway.
 
-		$result = '';
-		openssl_private_encrypt($dfrn_id,$result,$user[0]['prvkey']);
+			// If other site is willing to accept full encryption, (aes_allow is 1 AND we have php5.3 
+			// or later) then we encrypt the personal public key we send them using AES-256-CBC and a 
+			// random key which is encrypted with their site public key.  
 
-		$params['dfrn_id'] = bin2hex($result);
-		$params['public_key'] = $public_key;
+			$src_aes_key = random_string();
 
+			$result = '';
+			openssl_private_encrypt($dfrn_id,$result,$user[0]['prvkey']);
 
-		$my_url = $a->get_baseurl() . '/profile/' . $user[0]['nickname'];
+			$params['dfrn_id'] = bin2hex($result);
+			$params['public_key'] = $public_key;
 
-		openssl_public_encrypt($my_url, $params['source_url'], $site_pubkey);
-		$params['source_url'] = bin2hex($params['source_url']);
 
-		if($aes_allow && function_exists('openssl_encrypt')) {
-			openssl_public_encrypt($src_aes_key, $params['aes_key'], $site_pubkey);
-			$params['aes_key'] = bin2hex($params['aes_key']);
-			$params['public_key'] = bin2hex(openssl_encrypt($public_key,'AES-256-CBC',$src_aes_key));
-		}
+			$my_url = $a->get_baseurl() . '/profile/' . $user[0]['nickname'];
 
-		$params['dfrn_version'] = DFRN_PROTOCOL_VERSION ;
-		if($duplex == 1)
-			$params['duplex'] = 1;
+			openssl_public_encrypt($my_url, $params['source_url'], $site_pubkey);
+			$params['source_url'] = bin2hex($params['source_url']);
 
-		// POST all this stuff to the other site.
+			if($aes_allow && function_exists('openssl_encrypt')) {
+				openssl_public_encrypt($src_aes_key, $params['aes_key'], $site_pubkey);
+				$params['aes_key'] = bin2hex($params['aes_key']);
+				$params['public_key'] = bin2hex(openssl_encrypt($public_key,'AES-256-CBC',$src_aes_key));
+			}
 
-		$res = post_url($dfrn_confirm,$params);
+			$params['dfrn_version'] = DFRN_PROTOCOL_VERSION ;
+			if($duplex == 1)
+				$params['duplex'] = 1;
 
-		// Now figure out what they responded. Try to be robust if the remote site is 
-		// having difficulty and throwing up errors of some kind. 
+			// POST all this stuff to the other site.
 
-		$leading_junk = substr($res,0,strpos($res,'<?xml'));
+			$res = post_url($dfrn_confirm,$params);
 
-		$res = substr($res,strpos($res,'<?xml'));
-		if(! strlen($res)) {
+			// Now figure out what they responded. Try to be robust if the remote site is 
+			// having difficulty and throwing up errors of some kind. 
 
-				// No XML at all, this exchange is messed up really bad.
-				// We shouldn't proceed, because the xml parser might choke,
-				// and $status is going to be zero, which indicates success.
-				// We can hardly call this a success.  
+			$leading_junk = substr($res,0,strpos($res,'<?xml'));
 
-			notice( t('Response from remote site was not understood.') . EOL);
-			return;
-		}
+			$res = substr($res,strpos($res,'<?xml'));
+			if(! strlen($res)) {
 
-		if(strlen($leading_junk) && get_config('system','debugging')) {
+					// No XML at all, this exchange is messed up really bad.
+					// We shouldn't proceed, because the xml parser might choke,
+					// and $status is going to be zero, which indicates success.
+					// We can hardly call this a success.  
+	
+				notice( t('Response from remote site was not understood.') . EOL);
+				return;
+			}
 
-				// This might be more common. Mixed error text and some XML.
-				// If we're configured for debugging, show the text. Proceed in either case.
+			if(strlen($leading_junk) && get_config('system','debugging')) {
+	
+					// This might be more common. Mixed error text and some XML.
+					// If we're configured for debugging, show the text. Proceed in either case.
 
-			notice( t('Unexpected response from remote site: ') . EOL . $leading_junk . EOL );
-		}
+				notice( t('Unexpected response from remote site: ') . EOL . $leading_junk . EOL );
+			}
 
-		$xml = simplexml_load_string($res);
-		$status = (int) $xml->status;
-		$message = unxmlify($xml->message);   // human readable text of what may have gone wrong.
-		switch($status) {
-			case 0:
-				notice( t("Confirmation completed successfully.") . EOL);
-				if(strlen($message))
-					notice( t('Remote site reported: ') . $message . EOL);
-				break;
-			case 1:
-				// birthday paradox - generate new dfrn-id and fall through.
-				$new_dfrn_id = random_string();
-				$r = q("UPDATE contact SET `issued-id` = '%s' WHERE `id` = %d AND `uid` = %d LIMIT 1",
-					dbesc($new_dfrn_id),
-					intval($contact_id),
-					intval($uid) 
+			$xml = simplexml_load_string($res);
+			$status = (int) $xml->status;
+			$message = unxmlify($xml->message);   // human readable text of what may have gone wrong.
+			switch($status) {
+				case 0:
+					notice( t("Confirmation completed successfully.") . EOL);
+					if(strlen($message))
+						notice( t('Remote site reported: ') . $message . EOL);
+					break;
+				case 1:
+					// birthday paradox - generate new dfrn-id and fall through.
+					$new_dfrn_id = random_string();
+					$r = q("UPDATE contact SET `issued-id` = '%s' WHERE `id` = %d AND `uid` = %d LIMIT 1",
+						dbesc($new_dfrn_id),
+						intval($contact_id),
+						intval($uid) 
+					);
+
+				case 2:
+					notice( t("Temporary failure. Please wait and try again.") . EOL);
+					if(strlen($message))
+						notice( t('Remote site reported: ') . $message . EOL);
+					break;
+
+
+				case 3:
+					notice( t("Introduction failed or was revoked.") . EOL);
+					if(strlen($message))
+						notice( t('Remote site reported: ') . $message . EOL);
+					break;
+				}
+
+			if(($status == 0) && ($intro_id)) {
+	
+				// Success. Delete the notification.
+	
+				$r = q("DELETE FROM `intro` WHERE `id` = %d AND `uid` = %d LIMIT 1",
+					intval($intro_id),
+					intval($uid)
 				);
-
-			case 2:
-				notice( t("Temporary failure. Please wait and try again.") . EOL);
-				if(strlen($message))
-					notice( t('Remote site reported: ') . $message . EOL);
-				break;
-
-
-			case 3:
-				notice( t("Introduction failed or was revoked.") . EOL);
-				if(strlen($message))
-					notice( t('Remote site reported: ') . $message . EOL);
-				break;
+				
 			}
 
-		if(($status == 0) && ($intro_id)) {
-
-			// Success. Delete the notification.
-
-			$r = q("DELETE FROM `intro` WHERE `id` = %d AND `uid` = %d LIMIT 1",
-				intval($intro_id),
-				intval($uid)
-			);
-			
+			if($status != 0) 
+				return;
 		}
 
-		if($status != 0) 
-			return;
-		
 		// We have now established a relationship with the other site.
 		// Let's make our own personal copy of their profile photo so we don't have
 		// to always load it from their site.
@@ -223,36 +231,29 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
 
 		$photo_failure = false;
 
-		$r = q("SELECT `photo` FROM `contact` WHERE `id` = %d LIMIT 1",
-			intval($contact_id));
-		if(count($r)) {
-
-			$filename = basename($r[0]['photo']);
-			$img_str = fetch_url($r[0]['photo'],true);
-			$img = new Photo($img_str);
-			if($img->is_valid()) {
+		$filename = basename($contact['photo']);
+		$img_str = fetch_url($contact['photo'],true);
+		$img = new Photo($img_str);
+		if($img->is_valid()) {
 
-				$img->scaleImageSquare(175);
+			$img->scaleImageSquare(175);
 					
-				$hash = photo_new_resource();
+			$hash = photo_new_resource();
 
-				$r = $img->store($uid, $contact_id, $hash, $filename, t('Contact Photos'), 4 );
+			$r = $img->store($uid, $contact_id, $hash, $filename, t('Contact Photos'), 4 );
 
-				if($r === false)
-					$photo_failure = true;
-
-				$img->scaleImage(80);
+			if($r === false)
+				$photo_failure = true;
 
-				$r = $img->store($uid, $contact_id, $hash, $filename, t('Contact Photos'), 5 );
+			$img->scaleImage(80);
 
-				if($r === false)
-					$photo_failure = true;
+			$r = $img->store($uid, $contact_id, $hash, $filename, t('Contact Photos'), 5 );
 
-				$photo = $a->get_baseurl() . '/photo/' . $hash . '-4.jpg';
-				$thumb = $a->get_baseurl() . '/photo/' . $hash . '-5.jpg';
-			}
-			else
+			if($r === false)
 				$photo_failure = true;
+
+			$photo = $a->get_baseurl() . '/photo/' . $hash . '-4.jpg';
+			$thumb = $a->get_baseurl() . '/photo/' . $hash . '-5.jpg';
 		}
 		else
 			$photo_failure = true;
@@ -262,40 +263,89 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
 			$thumb = $a->get_baseurl() . '/images/default-profile-sm.jpg';
 		}
 
-		$new_relation = REL_VIP;
-		if(($relation == REL_FAN) || ($duplex))
-			$new_relation = REL_BUD;
 
-		$r = q("UPDATE `contact` SET `photo` = '%s', 
-			`thumb` = '%s', 
-			`rel` = %d, 
-			`name-date` = '%s', 
-			`uri-date` = '%s', 
-			`avatar-date` = '%s', 
-			`blocked` = 0, 
-			`pending` = 0,
-			`duplex` = %d,
-			`network` = 'dfrn' WHERE `id` = %d LIMIT 1
-		",
-			dbesc($photo),
-			dbesc($thumb),
-			intval($new_relation),
-			dbesc(datetime_convert()),
-			dbesc(datetime_convert()),
-			dbesc(datetime_convert()),
-			intval($duplex),
-			intval($contact_id)
-		);
+		if($contact['network'] === 'dfrn') {
+
+			$new_relation = REL_VIP;
+			if(($relation == REL_FAN) || ($duplex))
+				$new_relation = REL_BUD;
+
+			$r = q("UPDATE `contact` SET `photo` = '%s', 
+				`thumb` = '%s', 
+				`rel` = %d, 
+				`name-date` = '%s', 
+				`uri-date` = '%s', 
+				`avatar-date` = '%s', 
+				`blocked` = 0, 
+				`pending` = 0,
+				`duplex` = %d,
+				`network` = 'dfrn' WHERE `id` = %d LIMIT 1
+			",
+				dbesc($photo),
+				dbesc($thumb),
+				intval($new_relation),
+				dbesc(datetime_convert()),
+				dbesc(datetime_convert()),
+				dbesc(datetime_convert()),
+				intval($duplex),
+				intval($contact_id)
+			);
+		}
+		else {  
+
+			$notify = '';
+			$poll   = '';
+
+			// $contact['network'] !== 'dfrn'
+
+			$arr = lrdd($contact['url']);
+			if(count($arr)) {
+				foreach($arr as $link) {
+					if($link['@attributes']['rel'] === 'salmon')
+						$notify = $link['@attributes']['href'];
+					if($link['@attributes']['rel'] === NAMESPACE_FEED)
+						$poll = $link['@attributes']['href'];
+				}
+			}
+
+			$r = q("DELETE FROM `intro` WHERE `id` = %d AND `uid` = %d LIMIT 1",
+				intval($intro_id),
+				intval($uid)
+			);
+
+			$r = q("UPDATE `contact` SET `photo` = '%s', 
+				`thumb` = '%s', 
+				`name-date` = '%s', 
+				`uri-date` = '%s', 
+				`avatar-date` = '%s', 
+				`notify` = '%s',
+				`poll` = '%s',
+				`blocked` = 0, 
+				`pending` = 0
+				WHERE `id` = %d LIMIT 1
+			",
+				dbesc($photo),
+				dbesc($thumb),
+				dbesc(datetime_convert()),
+				dbesc(datetime_convert()),
+				dbesc(datetime_convert()),
+				dbesc($notify),
+				dbesc($poll),
+				intval($contact_id)
+			);			
+		}
+
 		if($r === false)
-			notice( t('Unable to set contact photo.') . EOL);
+				notice( t('Unable to set contact photo.') . EOL);
 
 
 		// Let's send our user to the contact editor in case they want to
 		// do anything special with this new friend.
- 
+
 		if($handsfree === null)
 			goaway($a->get_baseurl() . '/contacts/' . intval($contact_id));
 		return;  //NOTREACHED
+
 	}
 
 
@@ -480,7 +530,7 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
 			intval($duplex),
 			intval($dfrn_record)
 		);
-		if($r === false) { // indicates schema is messed up or total db failure
+		if($r === false) {    // indicates schema is messed up or total db failure
 			$message = t('Unable to update your contact profile details on our system');
 			xml_status(3,$message);
 		}
-- 
cgit v1.2.3