From 956d275693c451c4d9ba60751704b80257f37433 Mon Sep 17 00:00:00 2001
From: friendica <info@friendica.com>
Date: Sun, 22 Sep 2013 22:52:48 -0700
Subject: fixes for display and search privacy enforcement

---
 mod/display.php |  4 +++-
 mod/search.php  | 62 ++++++++++++++++++++++++++++++++++-----------------------
 2 files changed, 40 insertions(+), 26 deletions(-)

(limited to 'mod')

diff --git a/mod/display.php b/mod/display.php
index d19502eb1..476087ce7 100644
--- a/mod/display.php
+++ b/mod/display.php
@@ -113,16 +113,18 @@ function display_content(&$a, $update = 0, $load = false) {
 				}
 			}
 			if($r === null) {
+dbg(1);
 				$r = q("SELECT * from item
 					WHERE item_restrict = 0
 					and mid = '%s'
 					AND ((( `item`.`allow_cid` = ''  AND `item`.`allow_gid` = '' AND `item`.`deny_cid`  = '' 
 					AND `item`.`deny_gid`  = '' AND item_private = 0 ) 
-					and uid in ( " . stream_perms_api_uids() . " ))
+					and owner_xchan in ( " . stream_perms_xchans() . " ))
 					$sql_extra )
 					group by mid limit 1",
 					dbesc($target_item['parent_mid'])
 				);
+dbg(0);
 			}
 
 		}
diff --git a/mod/search.php b/mod/search.php
index 38131f63f..1cb6cb461 100644
--- a/mod/search.php
+++ b/mod/search.php
@@ -183,23 +183,37 @@ function search_content(&$a,$update = 0, $load = false) {
 
 	}
 
-
+	$pub_sql = public_permissions_sql(get_observer_hash());
 
 	if(($update) && ($load)) {
 		$pager_sql = sprintf(" LIMIT %d, %d ",intval($a->pager['start']), intval($a->pager['itemspage']));
-dbg(1);
+
 		if($load) {
-			$r = q("SELECT distinct mid, id as item_id from item
-				WHERE item_restrict = 0
-				AND (( `item`.`allow_cid` = ''  AND `item`.`allow_gid` = '' AND `item`.`deny_cid`  = '' AND `item`.`deny_gid`  = '' AND item_private = 0 ) 
-				OR ( `item`.`uid` = %d ))
-				$sql_extra
-				group by mid ORDER BY created DESC $pager_sql ",
-				intval(local_user()),
-				intval(ABOOK_FLAG_BLOCKED)
+			$r = null;
+
+			if(local_user()) {
+				$r = q("SELECT distinct mid, item.* from item
+					WHERE item_restrict = 0
+					AND (( `item`.`allow_cid` = ''  AND `item`.`allow_gid` = '' AND `item`.`deny_cid`  = '' AND `item`.`deny_gid`  = '' AND item_private = 0 ) 
+					OR ( `item`.`uid` = %d ))
+					$sql_extra
+					group by mid ORDER BY created DESC $pager_sql ",
+					intval(local_user()),
+					intval(ABOOK_FLAG_BLOCKED)
 
-			);
-dbg(0);
+				);
+			}
+			if($r === null) {
+               $r = q("SELECT distinct mid, item.* from item
+                    WHERE item_restrict = 0
+                    AND ((( `item`.`allow_cid` = ''  AND `item`.`allow_gid` = '' AND `item`.`deny_cid`  = ''
+                    AND `item`.`deny_gid`  = '' AND item_private = 0 )
+                    and owner_xchan in ( " . stream_perms_xchans() . " ))
+					$pub_sql )
+                    $sql_extra 
+                    group by mid ORDER BY created DESC $pager_sql"
+                );
+			}
 		}
 		else {
 			$r = array();
@@ -208,19 +222,17 @@ dbg(0);
 
 	if($r) {
 
-		$parents_str = ids_to_querystr($r,'item_id');
-dbg(1); 
-		$items = q("SELECT `item`.*, `item`.`id` AS `item_id` 
-			FROM `item`
-			WHERE item_restrict = 0 
-			$sql_extra and parent in ( $parents_str ) "
-//			intval($a->profile['profile_uid']),
-//			dbesc($parents_str)
-		);
-dbg(0);
-		xchan_query($items);
-		$items = fetch_post_tags($items,true);
-		$items = conv_sort($items,'created');
+//		$parents_str = ids_to_querystr($r,'item_id');
+
+//		$items = q("SELECT `item`.*, `item`.`id` AS `item_id` 
+//			FROM `item`
+//			WHERE item_restrict = 0 
+//			$sql_extra and parent in ( $parents_str ) "
+//		);
+
+		xchan_query($r);
+		$items = fetch_post_tags($r,true);
+//		$items = conv_sort($items,'created');
 
 	} else {
 		$items = array();
-- 
cgit v1.2.3