From ed7712cfbf9835368de79f8686954b536c12e4d1 Mon Sep 17 00:00:00 2001 From: friendica Date: Tue, 21 Oct 2014 16:33:35 -0700 Subject: private forum issues --- mod/item.php | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'mod/item.php') diff --git a/mod/item.php b/mod/item.php index ac15e50e8..589e3beb1 100644 --- a/mod/item.php +++ b/mod/item.php @@ -257,10 +257,16 @@ function item_post(&$a) { killme(); } + $walltowall = false; + if($observer) { logger('mod_item: post accepted from ' . $observer['xchan_name'] . ' for ' . $owner_xchan['xchan_name'], LOGGER_DEBUG); + if($observer['xchan_name'] != $owner_xchan['xchan_name']) + $walltowall = true; } + + $public_policy = ((x($_REQUEST,'public_policy')) ? escape_tags($_REQUEST['public_policy']) : map_scope($channel['channel_r_stream'],true)); if($webpage) $public_policy = ''; @@ -329,6 +335,15 @@ function item_post(&$a) { $str_group_deny = $channel['channel_deny_gid']; $str_contact_deny = $channel['channel_deny_cid']; } + elseif($walltowall) { + + // use the channel owner's default permissions + + $str_group_allow = $channel['channel_allow_gid']; + $str_contact_allow = $channel['channel_allow_cid']; + $str_group_deny = $channel['channel_deny_gid']; + $str_contact_deny = $channel['channel_deny_cid']; + } else { // use the posted permissions -- cgit v1.2.3 From 58c692e3897a7807fed23e2633496c4960f022ca Mon Sep 17 00:00:00 2001 From: friendica Date: Wed, 22 Oct 2014 20:39:49 -0700 Subject: improved wall-to-wall detection for comments so we can handle Diaspora signing and wall-to-wall attribution correctly. Do it at the point of submission. This also fixes a potential bug in yesterday's wall-to-wall permission setting, if it was a local comment to a remote post. --- mod/item.php | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) (limited to 'mod/item.php') diff --git a/mod/item.php b/mod/item.php index 589e3beb1..ad567b21f 100644 --- a/mod/item.php +++ b/mod/item.php @@ -258,15 +258,26 @@ function item_post(&$a) { } $walltowall = false; + $walltowall_comment = false; if($observer) { logger('mod_item: post accepted from ' . $observer['xchan_name'] . ' for ' . $owner_xchan['xchan_name'], LOGGER_DEBUG); - if($observer['xchan_name'] != $owner_xchan['xchan_name']) - $walltowall = true; - } - + // wall-to-wall detection. + // For top-level posts, if the author and owner are different it's a wall-to-wall + // For comments, We need to additionally look at the parent and see if it's a wall post that originated locally. + if($observer['xchan_name'] != $owner_xchan['xchan_name']) { + if($parent_item && ($parent_item['item_flags'] & (ITEM_WALL|ITEM_ORIGIN)) == (ITEM_WALL|ITEM_ORIGIN)) { + $walltowall_comment = true; + $walltowall = true; + } + if(! $parent) { + $walltowall = true; + } + } + } + $public_policy = ((x($_REQUEST,'public_policy')) ? escape_tags($_REQUEST['public_policy']) : map_scope($channel['channel_r_stream'],true)); if($webpage) $public_policy = ''; @@ -874,10 +885,9 @@ function item_post(&$a) { if($parent) { // Store the comment signature information in case we need to relay to Diaspora -//FIXME $ditem = $datarray; $ditem['author'] = $observer; - store_diaspora_comment_sig($ditem,$channel,$parent_item, $post_id); + store_diaspora_comment_sig($ditem,$channel,$parent_item, $post_id, (($walltowall_comment) ? 1 : 0)); } update_remote_id($channel,$post_id,$webpage,$pagetitle,$namespace,$remote_id,$mid); -- cgit v1.2.3 From 38801f802f9fd0eedd68e00ddf6707ace7220eba Mon Sep 17 00:00:00 2001 From: Thomas Willingham Date: Fri, 24 Oct 2014 17:46:31 +0100 Subject: Issue #661 --- mod/item.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'mod/item.php') diff --git a/mod/item.php b/mod/item.php index ad567b21f..dd6d0e217 100644 --- a/mod/item.php +++ b/mod/item.php @@ -77,7 +77,7 @@ function item_post(&$a) { $preview = ((x($_REQUEST,'preview')) ? intval($_REQUEST['preview']) : 0); $categories = ((x($_REQUEST,'category')) ? escape_tags($_REQUEST['category']) : ''); $webpage = ((x($_REQUEST,'webpage')) ? intval($_REQUEST['webpage']) : 0); - $pagetitle = ((x($_REQUEST,'pagetitle')) ? escape_tags($_REQUEST['pagetitle']) : ''); + $pagetitle = ((x($_REQUEST,'pagetitle')) ? escape_tags(urlencode($_REQUEST['pagetitle'])) : ''); $layout_mid = ((x($_REQUEST,'layout_mid')) ? escape_tags($_REQUEST['layout_mid']): ''); $plink = ((x($_REQUEST,'permalink')) ? escape_tags($_REQUEST['permalink']) : ''); -- cgit v1.2.3 From 9cc76cb33da489c01731ecb5195f8bb3d51ce513 Mon Sep 17 00:00:00 2001 From: friendica Date: Mon, 27 Oct 2014 19:21:41 -0700 Subject: several unrelated things - auto_follow wasn't working for new accounts, error returned in private mention to a collection, and added auto-completion to photo tags; though it only matches people so the hover text is now wrong. Also made the photo edit form XHTML (XML) compliant. --- mod/item.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'mod/item.php') diff --git a/mod/item.php b/mod/item.php index dd6d0e217..22d285571 100644 --- a/mod/item.php +++ b/mod/item.php @@ -1181,9 +1181,10 @@ function handle_tag($a, &$body, &$access_tag, &$str_tags, $profile_uid, $tag) { if(local_user() && local_user() == $profile_uid) { require_once('include/group.php'); $grp = group_byname($profile_uid,$name); + if($grp) { $g = q("select hash from groups where id = %d and visible = 1 limit 1", - intval($grp[0]['id']) + intval($grp) ); if($g && $exclusive) { $access_tag .= 'gid:' . $g[0]['hash']; -- cgit v1.2.3 From 7d9f785758ee6e4c19838e532f9930e227e95fc6 Mon Sep 17 00:00:00 2001 From: friendica Date: Tue, 28 Oct 2014 20:01:44 -0700 Subject: if any privacy tags are created on a top level post, restrict the post; since it could have been quite sensitive. If there were errors processing the actual tag restrict the post to the profile owner. Also make the "privacy tag over-rides ACL" behaviour configurable. Default is that privacy tags over-ride the ACL. --- mod/item.php | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) (limited to 'mod/item.php') diff --git a/mod/item.php b/mod/item.php index 22d285571..3dea8809c 100644 --- a/mod/item.php +++ b/mod/item.php @@ -596,7 +596,14 @@ function item_post(&$a) { logger('handle_tag: ' . print_r($success,tue), LOGGER_DATA); if(($access_tag) && (! $parent_item)) { logger('access_tag: ' . $tag . ' ' . print_r($access_tag,true), LOGGER_DATA); - if ($first_access_tag) { + if ($first_access_tag && (! get_pconfig($profile_uid,'system','no_private_mention_acl_override'))) { + + // This is a tough call, hence configurable. The issue is that one can type in a @!privacy mention + // and also have a default ACL (perhaps from viewing a collection) and could be suprised that the + // privacy mention wasn't the only recipient. So the default is to wipe out the existing ACL if a + // private mention is found. This can be over-ridden if you wish private mentions to be in + // addition to the current ACL settings. + $str_contact_allow = ''; $str_group_allow = ''; $first_access_tag = false; @@ -1162,6 +1169,8 @@ function handle_tag($a, &$body, &$access_tag, &$str_tags, $profile_uid, $tag) { // $r is set if we found something + $channel = get_app()->get_channel(); + if($r) { $profile = $r[0]['xchan_url']; $newname = $r[0]['xchan_name']; @@ -1198,6 +1207,10 @@ function handle_tag($a, &$body, &$access_tag, &$str_tags, $profile_uid, $tag) { } } + if(($exclusive) && (! $access_tag)) { + $access_tag .= 'cid:' . $channel['channel_hash']; + } + // if there is an url for this channel if(isset($profile)) { -- cgit v1.2.3 From a80e696b772d75a6b2bc5c1846f84ba538ee6289 Mon Sep 17 00:00:00 2001 From: friendica Date: Mon, 3 Nov 2014 17:35:42 -0800 Subject: wall posted comment to a top-level wall post which arrived via a route (e.g. was posted to a forum) had no route, hence downstream recipients report route mismatch --- mod/item.php | 3 +++ 1 file changed, 3 insertions(+) (limited to 'mod/item.php') diff --git a/mod/item.php b/mod/item.php index 3dea8809c..e7d886b00 100644 --- a/mod/item.php +++ b/mod/item.php @@ -112,6 +112,7 @@ function item_post(&$a) { $parent = ((x($_REQUEST,'parent')) ? intval($_REQUEST['parent']) : 0); $parent_mid = ((x($_REQUEST,'parent_mid')) ? trim($_REQUEST['parent_mid']) : ''); + $route = ''; $parent_item = null; $parent_contact = null; $thr_parent = ''; @@ -163,6 +164,7 @@ function item_post(&$a) { $thr_parent = $parent_mid; + $route = $parent_item['route']; } @@ -753,6 +755,7 @@ function item_post(&$a) { $datarray['comment_policy'] = map_scope($channel['channel_w_comment']); $datarray['term'] = $post_tags; $datarray['plink'] = $plink; + $datarray['route'] = $route; // preview mode - prepare the body for display and send it via json -- cgit v1.2.3 From 570577a99089ff5bb48c5c67a612bdd874721e95 Mon Sep 17 00:00:00 2001 From: friendica Date: Tue, 11 Nov 2014 18:05:50 -0800 Subject: a couple of places where we need to look for a sys channel euid. --- mod/item.php | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) (limited to 'mod/item.php') diff --git a/mod/item.php b/mod/item.php index e7d886b00..9688dbfe1 100644 --- a/mod/item.php +++ b/mod/item.php @@ -32,9 +32,17 @@ function item_post(&$a) { require_once('include/security.php'); $uid = local_user(); - $channel = null; + if(array_key_exists('sys',$_REQUEST) && $_REQUEST['sys'] == 1 && is_site_admin()) { + require_once('include/identity.php'); + $sys = get_sys_channel(); + if($sys && intval($sys['channel_id'])) { + $uid = intval($sys['channel_id']); + $channel = $sys; + } + } + if(x($_REQUEST,'dropitems')) { require_once('include/items.php'); $arr_drop = explode(',',$_REQUEST['dropitems']); @@ -87,8 +95,8 @@ function item_post(&$a) { /* * Check service class limits */ - if (local_user() && !(x($_REQUEST,'parent')) && !(x($_REQUEST,'post_id'))) { - $ret = item_check_service_class(local_user(),x($_REQUEST,'webpage')); + if ($uid && !(x($_REQUEST,'parent')) && !(x($_REQUEST,'post_id'))) { + $ret = item_check_service_class($uid,x($_REQUEST,'webpage')); if (!$ret['success']) { notice( t($ret['message']) . EOL) ; if(x($_REQUEST,'return')) @@ -129,11 +137,11 @@ function item_post(&$a) { intval($parent) ); } - elseif($parent_mid && local_user()) { + elseif($parent_mid && $uid) { // This is coming from an API source, and we are logged in $r = q("SELECT * FROM `item` WHERE `mid` = '%s' AND `uid` = %d LIMIT 1", dbesc($parent_mid), - intval(local_user()) + intval($uid) ); } // if this isn't the real parent of the conversation, find it @@ -223,7 +231,7 @@ function item_post(&$a) { if(! $channel) { - if(local_user() && local_user() == $profile_uid) { + if($uid && $uid == $profile_uid) { $channel = $a->get_channel(); } else { @@ -446,7 +454,7 @@ function item_post(&$a) { intval($profile_uid) ); if($z && ($z[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE)) { - if(local_user() && (get_account_id() == $z[0]['account_id'])) { + if($uid && (get_account_id() == $z[0]['account_id'])) { $execflag = true; } else { @@ -461,7 +469,7 @@ function item_post(&$a) { if($mimetype === 'text/bbcode') { - if(local_user() && local_user() == $profile_uid && feature_enabled(local_user(),'markdown')) { + if($uid && $uid == $profile_uid && feature_enabled($uid,'markdown')) { require_once('include/bb2diaspora.php'); $body = diaspora2bb(escape_tags($body),true); } @@ -594,7 +602,7 @@ function item_post(&$a) { if($fullnametagged) continue; - $success = handle_tag($a, $body, $access_tag, $str_tags, (local_user()) ? local_user() : $profile_uid , $tag); + $success = handle_tag($a, $body, $access_tag, $str_tags, ($uid) ? $uid : $profile_uid , $tag); logger('handle_tag: ' . print_r($success,tue), LOGGER_DATA); if(($access_tag) && (! $parent_item)) { logger('access_tag: ' . $tag . ' ' . print_r($access_tag,true), LOGGER_DATA); @@ -797,7 +805,7 @@ function item_post(&$a) { $datarray['body'] = z_input_filter($datarray['uid'],$datarray['body'],$datarray['mimetype']); - if(local_user()) { + if($uid) { if($channel['channel_hash'] === $datarray['author_xchan']) { $datarray['sig'] = base64url_encode(rsa_sign($datarray['body'],$channel['channel_prvkey'])); $datarray['item_flags'] = $datarray['item_flags'] | ITEM_VERIFIED; -- cgit v1.2.3 From 37742be6af5aee1a5be8ba878379d9e21b39377d Mon Sep 17 00:00:00 2001 From: friendica Date: Tue, 11 Nov 2014 18:57:59 -0800 Subject: some more work on sys publishing --- mod/item.php | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) (limited to 'mod/item.php') diff --git a/mod/item.php b/mod/item.php index 9688dbfe1..fdfc43bf2 100644 --- a/mod/item.php +++ b/mod/item.php @@ -33,14 +33,15 @@ function item_post(&$a) { $uid = local_user(); $channel = null; + $observer = null; - if(array_key_exists('sys',$_REQUEST) && $_REQUEST['sys'] == 1 && is_site_admin()) { - require_once('include/identity.php'); - $sys = get_sys_channel(); - if($sys && intval($sys['channel_id'])) { - $uid = intval($sys['channel_id']); - $channel = $sys; - } + $profile_uid = ((x($_REQUEST,'profile_uid')) ? intval($_REQUEST['profile_uid']) : 0); + require_once('include/identity.php'); + $sys = get_sys_channel(); + if($sys && $profile_uid && ($sys['channel_id'] == $profile_uid) && is_site_admin()) { + $uid = intval($sys['channel_id']); + $channel = $sys; + $observer = $sys; } if(x($_REQUEST,'dropitems')) { @@ -78,7 +79,6 @@ function item_post(&$a) { $message_id = ((x($_REQUEST,'message_id') && $api_source) ? strip_tags($_REQUEST['message_id']) : ''); $created = ((x($_REQUEST,'created')) ? datetime_convert('UTC','UTC',$_REQUEST['created']) : datetime_convert()); - $profile_uid = ((x($_REQUEST,'profile_uid')) ? intval($_REQUEST['profile_uid']) : 0); $post_id = ((x($_REQUEST,'post_id')) ? intval($_REQUEST['post_id']) : 0); $app = ((x($_REQUEST,'source')) ? strip_tags($_REQUEST['source']) : ''); $return_path = ((x($_REQUEST,'return')) ? $_REQUEST['return'] : ''); @@ -176,9 +176,8 @@ function item_post(&$a) { } - - $observer = $a->get_observer(); - + if(! $observer) + $observer = $a->get_observer(); if($parent) { logger('mod_item: item_post parent=' . $parent); -- cgit v1.2.3 From 1a5a5c7edb8697c93f8bababbafa80245378dd7e Mon Sep 17 00:00:00 2001 From: Habeas Codice Date: Thu, 13 Nov 2014 12:21:58 -0800 Subject: PostgreSQL support initial commit There were 11 main types of changes: - UPDATE's and DELETE's sometimes had LIMIT 1 at the end of them. This is not only non-compliant but it would certainly not do what whoever wrote it thought it would. It is likely this mistake was just copied from Friendica. All of these instances, the LIMIT 1 was simply removed. - Bitwise operations (and even some non-zero int checks) erroneously rely on MySQL implicit integer-boolean conversion in the WHERE clauses. This is non-compliant (and bad programming practice to boot). Proper explicit boolean conversions were added. New queries should use proper conventions. - MySQL has a different operator for bitwise XOR than postgres. Rather than add yet another dba_ func, I converted them to "& ~" ("AND NOT") when turning off, and "|" ("OR") when turning on. There were no true toggles (XOR). New queries should refrain from using XOR when not necessary. - There are several fields which the schema has marked as NOT NULL, but the inserts don't specify them. The reason this works is because mysql totally ignores the constraint and adds an empty text default automatically. Again, non-compliant, obviously. In these cases a default of empty text was added. - Several statements rely on a non-standard MySQL feature (http://dev.mysql.com/doc/refman/5.5/en/group-by-handling.html). These queries can all be rewritten to be standards compliant. Interestingly enough, the newly rewritten standards compliant queries run a zillion times faster, even on MySQL. - A couple of function/operator name translations were needed (RAND/RANDOM, GROUP_CONCAT/STRING_AGG, UTC_NOW, REGEXP/~, ^/#) -- assist functions added in the dba_ - INTERVALs: postgres requires quotes around the value, mysql requires that there are not quotes around the value -- assist functions added in the dba_ - NULL_DATE's -- Postgres does not allow the invalid date '0000-00-00 00:00:00' (there is no such thing as year 0 or month 0 or day 0). We use '0001-01-01 00:00:00' for postgres. Conversions are handled in Zot/item packets automagically by quoting all dates with dbescdate(). - char(##) specifications in the schema creates fields with blank spaces that aren't trimmed in the code. MySQL apparently treats char(##) as varchar(##), again, non-compliant. Since postgres works better with text fields anyway, this ball of bugs was simply side-stepped by using 'text' datatype for all text fields in the postgres schema. varchar was used in a couple of places where it actually seemed appropriate (size constraint), but without rigorously vetting that all of the PHP code actually validates data, new bugs might come out from under the rug. - postgres doesn't store nul bytes and a few other non-printables in text fields, even when quoted. bytea fields were used when storing binary data (photo.data, attach.data). A new dbescbin() function was added to handle this transparently. - postgres does not support LIMIT #,# syntax. All databases support LIMIT # OFFSET # syntax. Statements were updated to be standard. These changes require corresponding changes in the coding standards. Please review those before adding any code going forward. Still on my TODO list: - remove quotes from non-reserved identifiers and make reserved identifiers use dba func for quoting - Rewrite search queries for better results (both MySQL and Postgres) --- mod/item.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'mod/item.php') diff --git a/mod/item.php b/mod/item.php index 3dea8809c..026240196 100644 --- a/mod/item.php +++ b/mod/item.php @@ -877,7 +877,7 @@ function item_post(&$a) { // They will show up as people comment on them. if($parent_item['item_restrict'] & ITEM_HIDDEN) { - $r = q("UPDATE `item` SET `item_restrict` = %d WHERE `id` = %d LIMIT 1", + $r = q("UPDATE `item` SET `item_restrict` = %d WHERE `id` = %d", intval($parent_item['item_restrict'] - ITEM_HIDDEN), intval($parent_item['id']) ); @@ -1291,7 +1291,7 @@ function fix_attached_photo_permissions($uid,$xchan_hash,$body, $private = (($str_contact_allow || $str_group_allow || $str_contact_deny || $str_group_deny) ? true : false); $r = q("UPDATE item SET allow_cid = '%s', allow_gid = '%s', deny_cid = '%s', deny_gid = '%s', item_private = %d - WHERE id = %d AND uid = %d limit 1", + WHERE id = %d AND uid = %d", dbesc($str_contact_allow), dbesc($str_group_allow), dbesc($str_contact_deny), @@ -1341,7 +1341,7 @@ function item_check_service_class($channel_id,$iswebpage) { if ($iswebpage) { $r = q("select count(i.id) as total from item i right join channel c on (i.author_xchan=c.channel_hash and i.uid=c.channel_id ) - and i.parent=i.id and (i.item_restrict & %d) and not (i.item_restrict & %d) and i.uid= %d ", + and i.parent=i.id and (i.item_restrict & %d)>0 and not (i.item_restrict & %d)>0 and i.uid= %d ", intval(ITEM_WEBPAGE), intval(ITEM_DELETED), intval($channel_id) -- cgit v1.2.3