harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

hopefully this will go over a bit better - check post owner permissions as well as local owner permissions for comments during submission, since the comment was being blindly accepted on the local system due to only checking the profile owner. Also change collections query to include only top-level posts by a member of the collection.

Browse Source
This commit is contained in:
friendica 2013-09-20 17:58:11 -07:00
parent 06389f87df
commit 1126d8f2e3
3 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
include/items.php
View File

@ -68,6 +68,8 @@ function can_comment_on_post($observer_xchan,$item) {
return false;
if($item['comment_policy'] === 'none')
return false;
if($observer_xchan === $item['author_xchan'] || $observer_xchan === $item['owner_xchan'])
return true;
switch($item['comment_policy']) {
case 'self':
if($observer_xchan === $item['author_xchan'] || $observer_xchan === $item['owner_xchan'])
@ -3660,7 +3662,7 @@ function items_fetch($arr,$channel = null,$observer_hash = null,$client_mode = C
info( t('Group is empty'));
}
$sql_extra = " AND item.parent IN ( SELECT DISTINCT parent FROM item WHERE true $sql_options AND (( author_xchan IN ( $contact_str ) OR owner_xchan in ( $contact_str)) or allow_gid like '" . protect_sprintf('%<' . dbesc($r[0]['hash']) . '>%') . "' ) and item_restrict = 0 ) ";
$sql_extra = " AND item.parent IN ( SELECT DISTINCT parent FROM item WHERE true $sql_options AND (( author_xchan IN ( $contact_str ) OR owner_xchan in ( $contact_str)) or allow_gid like '" . protect_sprintf('%<' . dbesc($r[0]['hash']) . '>%') . "' ) and id = parent and item_restrict = 0 ) ";
}
elseif($arr['cid'] && $uid) {

10
mod/item.php
View File

@ -153,11 +153,19 @@ function item_post(&$a) {
}
$observer = $a->get_observer();
if($parent) {
logger('mod_item: item_post parent=' . $parent);
if(! can_comment_on_post($observer['xchan_hash'],$parent_item)) {
notice( t('Permission denied.') . EOL) ;
if(x($_REQUEST,'return'))
goaway($a->get_baseurl() . "/" . $return_path );
killme();
}
}
$observer = $a->get_observer();
if(! perm_is_allowed($profile_uid,$observer['xchan_hash'],(($parent) ? 'post_comments' : 'post_wall'))) {
notice( t('Permission denied.') . EOL) ;

2
mod/network.php
View File

@ -446,7 +446,7 @@ function network_content(&$a, $update = 0, $load = false) {
info( t('Group is empty'));
}
$sql_extra = " AND item.parent IN ( SELECT DISTINCT parent FROM item WHERE true $sql_options AND (( author_xchan IN ( $contact_str ) OR owner_xchan in ( $contact_str)) or allow_gid like '" . protect_sprintf('%<' . dbesc($r[0]['hash']) . '>%') . "' ) and item_restrict = 0 ) ";
$sql_extra = " AND item.parent IN ( SELECT DISTINCT parent FROM item WHERE true $sql_options AND (( author_xchan IN ( $contact_str ) OR owner_xchan in ( $contact_str)) or allow_gid like '" . protect_sprintf('%<' . dbesc($r[0]['hash']) . '>%') . "' ) and id = parent and item_restrict = 0 ) ";
}