check permissions for mail to non-connected people, reject if no permission - but you can try and send mail to any webbie. We probably should check for this before you send the message but perhaps we can find another way to let you know if it's allowed or not without an expensive probe. Like mod_follow, a webbie without an @ is treated as a local address.
This commit is contained in:
friendica
parent
270266357d
commit
186163a5ce
15
mod/acl.php
15
mod/acl.php
@ -29,7 +29,10 @@ function acl_init(&$a){
|
|||||||
if ($search!=""){
|
if ($search!=""){
|
||||||
$sql_extra = "AND `name` LIKE '%%".dbesc($search)."%%'";
|
$sql_extra = "AND `name` LIKE '%%".dbesc($search)."%%'";
|
||||||
$sql_extra2 = "AND (`attag` LIKE '%%".dbesc($search)."%%' OR `name` LIKE '%%".dbesc($search)."%%' OR `nick` LIKE '%%".dbesc($search)."%%')";
|
$sql_extra2 = "AND (`attag` LIKE '%%".dbesc($search)."%%' OR `name` LIKE '%%".dbesc($search)."%%' OR `nick` LIKE '%%".dbesc($search)."%%')";
|
||||||
$sql_extra3 = "AND ( xchan_name like '%%" . dbesc($search) . "%%' )";
|
|
||||||
|
$col = ((strpos($search,'@') !== false) ? 'xchan_addr' : 'xchan_name' );
|
||||||
|
$sql_extra3 = "AND $col like " . protect_sprintf( "'%" . dbesc($search) . "%'" ) . " ";
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
$sql_extra = $sql_extra2 = $sql_extra3 = "";
|
$sql_extra = $sql_extra2 = $sql_extra3 = "";
|
||||||
}
|
}
|
||||||
@ -127,12 +130,16 @@ function acl_init(&$a){
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
elseif($type == 'm') {
|
elseif($type == 'm') {
|
||||||
$r = q("SELECT xchan_hash as id, xchan_name as name, xchan_photo_s as micro, xchan_url as url from xchan
|
dbg(1);
|
||||||
where 1
|
$r = q("SELECT xchan_hash as id, xchan_name as name, xchan_addr as nick, xchan_photo_s as micro, xchan_url as url
|
||||||
|
FROM abook left join xchan on abook_xchan = xchan_hash
|
||||||
|
WHERE abook_channel = %d and ( (abook_their_perms = null) or (abook_their_perms & %d ))
|
||||||
$sql_extra3
|
$sql_extra3
|
||||||
ORDER BY `xchan_name` ASC ",
|
ORDER BY `xchan_name` ASC ",
|
||||||
intval(local_user())
|
intval(local_user()),
|
||||||
|
intval(PERMS_W_MAIL)
|
||||||
);
|
);
|
||||||
|
dbg(0);
|
||||||
}
|
}
|
||||||
elseif($type == 'a') {
|
elseif($type == 'a') {
|
||||||
$r = q("SELECT abook_id as id, xchan_name as name, xchan_addr as nick, xchan_photo_s as micro, xchan_network as network, xchan_url as url, xchan_addr as attag FROM abook left join xchan on abook_xchan = xchan_hash
|
$r = q("SELECT abook_id as id, xchan_name as name, xchan_addr as nick, xchan_photo_s as micro, xchan_network as network, xchan_url as url, xchan_addr as attag FROM abook left join xchan on abook_xchan = xchan_hash
|
||||||
|
|||||||
@ -2,6 +2,7 @@
|
|||||||
|
|
||||||
require_once('include/acl_selectors.php');
|
require_once('include/acl_selectors.php');
|
||||||
require_once('include/message.php');
|
require_once('include/message.php');
|
||||||
|
require_once('include/zot.php');
|
||||||
|
|
||||||
function message_init(&$a) {
|
function message_init(&$a) {
|
||||||
$tabs = array();
|
$tabs = array();
|
||||||
@ -45,10 +46,64 @@ function message_post(&$a) {
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
$replyto = ((x($_REQUEST,'replyto')) ? notags(trim($_REQUEST['replyto'])) : '');
|
$replyto = ((x($_REQUEST,'replyto')) ? notags(trim($_REQUEST['replyto'])) : '');
|
||||||
$subject = ((x($_REQUEST,'subject')) ? notags(trim($_REQUEST['subject'])) : '');
|
$subject = ((x($_REQUEST,'subject')) ? notags(trim($_REQUEST['subject'])) : '');
|
||||||
$body = ((x($_REQUEST,'body')) ? escape_tags(trim($_REQUEST['body'])) : '');
|
$body = ((x($_REQUEST,'body')) ? escape_tags(trim($_REQUEST['body'])) : '');
|
||||||
$recipient = ((x($_REQUEST,'messageto')) ? notags(trim($_REQUEST['messageto'])) : '');
|
$recipient = ((x($_REQUEST,'messageto')) ? notags(trim($_REQUEST['messageto'])) : '');
|
||||||
|
$rstr = ((x($_REQUEST,'messagerecip')) ? notags(trim($_REQUEST['messagerecip'])) : '');
|
||||||
|
|
||||||
|
if(! $recipient) {
|
||||||
|
$channel = $a->get_channel();
|
||||||
|
|
||||||
|
$ret = zot_finger($rstr,$channel);
|
||||||
|
|
||||||
|
if(! $ret) {
|
||||||
|
notice( t('Unable to lookup recipient.') . EOL);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
$j = json_decode($ret['body'],true);
|
||||||
|
|
||||||
|
logger('message_post: lookup: ' . $url . ' ' . print_r($j,true));
|
||||||
|
|
||||||
|
if(! ($j['success'] && $j['guid'])) {
|
||||||
|
notice( t('Unable to communicate with requested channel.'));
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
$x = import_xchan($j);
|
||||||
|
|
||||||
|
if(! $x['success']) {
|
||||||
|
notice( t('Cannot verify requested channel.'));
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
$recipient = $x['hash'];
|
||||||
|
|
||||||
|
$their_perms = 0;
|
||||||
|
|
||||||
|
$global_perms = get_perms();
|
||||||
|
|
||||||
|
if($j['permissions']['data']) {
|
||||||
|
$permissions = aes_unencapsulate($j['permissions'],$channel['channel_prvkey']);
|
||||||
|
if($permissions)
|
||||||
|
$permissions = json_decode($permissions);
|
||||||
|
logger('decrypted permissions: ' . print_r($permissions,true), LOGGER_DATA);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
$permissions = $j['permissions'];
|
||||||
|
|
||||||
|
foreach($permissions as $k => $v) {
|
||||||
|
if($v) {
|
||||||
|
$their_perms = $their_perms | intval($global_perms[$k][1]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if(! ($their_perms & PERMS_W_MAIL)) {
|
||||||
|
notice( t('Selected channel has private message restrictions. Send failed.'));
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
if(feature_enabled(local_user(),'richtext')) {
|
if(feature_enabled(local_user(),'richtext')) {
|
||||||
$body = fix_mce_lf($body);
|
$body = fix_mce_lf($body);
|
||||||
|
|||||||
Reference in New Issue
Block a user