harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

honour sys channel permissions for who can view the sys owned content

Browse Source
This commit is contained in:
friendica 2014-07-26 18:48:25 -07:00
parent 4f90070e5e
commit 3d7d6ec21f
3 changed files with 19 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
mod/display.php
View File

@ -139,7 +139,9 @@ function display_content(&$a, $update = 0, $load = false) {
} }
$sql_extra = public_permissions_sql(get_observer_hash()); $observer_hash = get_observer_hash();
$sql_extra = public_permissions_sql($observer_hash);
if(($update && $load) || ($_COOKIE['jsAvailable'] != 1)) { if(($update && $load) || ($_COOKIE['jsAvailable'] != 1)) {
@ -170,12 +172,19 @@ function display_content(&$a, $update = 0, $load = false) {
} }
if($r === null) { if($r === null) {
// in case somebody turned off public access to sys channel content using permissions
// make that content unsearchable by ensuring the owner_xchan can't match
if(! perm_is_allowed($sys['channel_id'],$observer_hash,'view_stream'))
$sys['xchan_hash'] .= 'disabled';
$r = q("SELECT * from item $r = q("SELECT * from item
WHERE item_restrict = 0 WHERE item_restrict = 0
and mid = '%s' and mid = '%s'
AND (((( `item`.`allow_cid` = '' AND `item`.`allow_gid` = '' AND `item`.`deny_cid` = '' AND (((( `item`.`allow_cid` = '' AND `item`.`allow_gid` = '' AND `item`.`deny_cid` = ''
AND `item`.`deny_gid` = '' AND item_private = 0 ) AND `item`.`deny_gid` = '' AND item_private = 0 )
and owner_xchan in ( " . stream_perms_xchans(($observer) ? (PERMS_NETWORK|PERMS_PUBLIC) : PERMS_PUBLIC) . " )) and owner_xchan in ( " . stream_perms_xchans(($observer_hash) ? (PERMS_NETWORK|PERMS_PUBLIC) : PERMS_PUBLIC) . " ))
OR owner_xchan = '%s') OR owner_xchan = '%s')
$sql_extra ) $sql_extra )
group by mid limit 1", group by mid limit 1",

8
mod/search.php
View File

@ -23,6 +23,7 @@ function search_content(&$a,$update = 0, $load = false) {
$observer = $a->get_observer(); $observer = $a->get_observer();
$observer_hash = (($observer) ? $observer['xchan_hash'] : '');
$o = '<div id="live-search"></div>' . "\r\n"; $o = '<div id="live-search"></div>' . "\r\n";
@ -113,7 +114,7 @@ function search_content(&$a,$update = 0, $load = false) {
} }
$pub_sql = public_permissions_sql(get_observer_hash()); $pub_sql = public_permissions_sql($observer_hash);
require_once('include/identity.php'); require_once('include/identity.php');
@ -124,6 +125,11 @@ function search_content(&$a,$update = 0, $load = false) {
$a->set_pager_itemspage(((intval($itemspage)) ? $itemspage : 20)); $a->set_pager_itemspage(((intval($itemspage)) ? $itemspage : 20));
$pager_sql = sprintf(" LIMIT %d, %d ",intval($a->pager['start']), intval($a->pager['itemspage'])); $pager_sql = sprintf(" LIMIT %d, %d ",intval($a->pager['start']), intval($a->pager['itemspage']));
// in case somebody turned off public access to sys channel content with permissions
if(! perm_is_allowed($sys['channel_id'],$observer_hash,'view_stream'))
$sys['xchan_hash'] .= 'disabled';
if($load) { if($load) {
$r = null; $r = null;

2
version.inc
View File

@ -1 +1 @@
2014-07-25.747 2014-07-26.748