1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
<?php
namespace Zotlabs\Module;
use App;
use Zotlabs\Web\Controller;
use Zotlabs\Lib\Activity;
use Zotlabs\Lib\ActivityStreams;
use Zotlabs\Lib\Config;
use Zotlabs\Web\HTTPSig;
require_once('include/security.php');
require_once('include/attach.php');
require_once('include/photo/photo_driver.php');
require_once('include/photos.php');
class Album extends Controller {
function init() {
if (ActivityStreams::is_as_request()) {
$sigdata = HTTPSig::verify(EMPTY_STR);
if ($sigdata['portable_id'] && $sigdata['header_valid']) {
$portable_id = $sigdata['portable_id'];
if (!check_channelallowed($portable_id)) {
http_status_exit(403, 'Permission denied');
}
if (!check_siteallowed($sigdata['signer'])) {
http_status_exit(403, 'Permission denied');
}
observer_auth($portable_id);
}
elseif (Config::get('system', 'require_authenticated_fetch', false)) {
http_status_exit(403, 'Permission denied');
}
$observer_xchan = get_observer_hash();
$allowed = false;
$bear = Activity::token_from_request();
if ($bear) {
logger('bear: ' . $bear, LOGGER_DEBUG);
}
$channel = null;
if (argc() > 1) {
$channel = channelx_by_nick(argv(1));
}
if (!$channel) {
http_status_exit(404, 'Not found.');
}
$sql_extra = permissions_sql($channel['channel_id'], $observer_xchan);
if (argc() > 2) {
$folder = argv(2);
$r = q("select * from attach where is_dir = 1 and hash = '%s' and uid = %d $sql_extra limit 1",
dbesc($folder),
intval($channel['channel_id'])
);
$allowed = (($r) ? attach_can_view($channel['channel_id'], $observer_xchan, $r[0]['hash'] /*,$bear */) : false);
}
else {
$folder = EMPTY_STR;
$allowed = perm_is_allowed($channel['channel_id'], $observer_xchan, 'view_storage');
}
if (!$allowed) {
http_status_exit(403, 'Permission denied.');
}
$x = q("select * from attach where folder = '%s' and uid = %d $sql_extra",
dbesc($folder),
intval($channel['channel_id'])
);
$contents = [];
if ($x) {
foreach ($x as $xv) {
if (intval($xv['is_dir'])) {
continue;
}
if (!attach_can_view($channel['channel_id'], $observer_xchan, $xv['hash'] /*,$bear*/)) {
continue;
}
if (intval($xv['is_photo'])) {
$contents[] = z_root() . '/photo/' . $xv['hash'];
}
}
}
$obj = Activity::encode_simple_collection($contents, App::$query_string, 'OrderedCollection', count($contents));
as_return_and_die($obj, $channel);
}
}
}
|
