From 3d7d6ec21f1b348221ad6f25d9865213339a6b47 Mon Sep 17 00:00:00 2001
From: friendica <info@friendica.com>
Date: Sat, 26 Jul 2014 18:48:25 -0700
Subject: honour sys channel permissions for who can view the sys owned content

---
 mod/display.php | 13 +++++++++++--
 mod/search.php  |  8 +++++++-
 2 files changed, 18 insertions(+), 3 deletions(-)

(limited to 'mod')

diff --git a/mod/display.php b/mod/display.php
index 31cce95d3..c389eb976 100644
--- a/mod/display.php
+++ b/mod/display.php
@@ -139,7 +139,9 @@ function display_content(&$a, $update = 0, $load = false) {
 
 	}
 
-	$sql_extra = public_permissions_sql(get_observer_hash());
+	$observer_hash = get_observer_hash();
+
+	$sql_extra = public_permissions_sql($observer_hash);
 
 	if(($update && $load) || ($_COOKIE['jsAvailable'] != 1)) {
 
@@ -170,12 +172,19 @@ function display_content(&$a, $update = 0, $load = false) {
 			}
 			if($r === null) {
 
+				// in case somebody turned off public access to sys channel content using permissions
+				// make that content unsearchable by ensuring the owner_xchan can't match
+
+				if(! perm_is_allowed($sys['channel_id'],$observer_hash,'view_stream'))
+					$sys['xchan_hash'] .= 'disabled';
+
+
 				$r = q("SELECT * from item
 					WHERE item_restrict = 0
 					and mid = '%s'
 					AND (((( `item`.`allow_cid` = ''  AND `item`.`allow_gid` = '' AND `item`.`deny_cid`  = '' 
 					AND `item`.`deny_gid`  = '' AND item_private = 0 ) 
-					and owner_xchan in ( " . stream_perms_xchans(($observer) ? (PERMS_NETWORK|PERMS_PUBLIC) : PERMS_PUBLIC) . " ))
+					and owner_xchan in ( " . stream_perms_xchans(($observer_hash) ? (PERMS_NETWORK|PERMS_PUBLIC) : PERMS_PUBLIC) . " ))
 					OR owner_xchan = '%s')
 					$sql_extra )
 					group by mid limit 1",
diff --git a/mod/search.php b/mod/search.php
index 663d355e2..15ac71376 100644
--- a/mod/search.php
+++ b/mod/search.php
@@ -23,6 +23,7 @@ function search_content(&$a,$update = 0, $load = false) {
 
 
 	$observer = $a->get_observer();
+	$observer_hash = (($observer) ? $observer['xchan_hash'] : '');
 
 	$o = '<div id="live-search"></div>' . "\r\n";
 
@@ -113,7 +114,7 @@ function search_content(&$a,$update = 0, $load = false) {
 
 	}
 
-	$pub_sql = public_permissions_sql(get_observer_hash());
+	$pub_sql = public_permissions_sql($observer_hash);
 
 	require_once('include/identity.php');
 
@@ -124,6 +125,11 @@ function search_content(&$a,$update = 0, $load = false) {
 		$a->set_pager_itemspage(((intval($itemspage)) ? $itemspage : 20));
 		$pager_sql = sprintf(" LIMIT %d, %d ",intval($a->pager['start']), intval($a->pager['itemspage']));
 
+		// in case somebody turned off public access to sys channel content with permissions
+
+		if(! perm_is_allowed($sys['channel_id'],$observer_hash,'view_stream'))
+			$sys['xchan_hash'] .= 'disabled';
+
 		if($load) {
 			$r = null;
 
-- 
cgit v1.2.3