attachment permissions not right
This commit is contained in:
friendica
parent
cb4d61e092
commit
41c411739f
@ -193,13 +193,13 @@ function attach_by_hash($hash,$rev = 0) {
|
|||||||
$sql_extra = permissions_sql($r[0]['uid']);
|
$sql_extra = permissions_sql($r[0]['uid']);
|
||||||
|
|
||||||
// Now we'll see if we can access the attachment
|
// Now we'll see if we can access the attachment
|
||||||
|
dbg(1);
|
||||||
|
|
||||||
$r = q("SELECT * FROM attach WHERE hash = '%s' and uid = %d $sql_extra LIMIT 1",
|
$r = q("SELECT * FROM attach WHERE hash = '%s' and uid = %d $sql_extra LIMIT 1",
|
||||||
dbesc($hash),
|
dbesc($hash),
|
||||||
intval($r[0]['uid'])
|
intval($r[0]['uid'])
|
||||||
);
|
);
|
||||||
|
dbg(0);
|
||||||
if(! $r) {
|
if(! $r) {
|
||||||
$ret['message'] = t('Permission denied.');
|
$ret['message'] = t('Permission denied.');
|
||||||
return $ret;
|
return $ret;
|
||||||
|
|||||||
@ -205,8 +205,9 @@ function permissions_sql($owner_id,$remote_verified = false,$groups = null) {
|
|||||||
|
|
||||||
|
|
||||||
else {
|
else {
|
||||||
$observer = get_app()->get_observer();
|
$observer = get_observer_hash();
|
||||||
$groups = init_groups_visitor($remote_user);
|
if($observer) {
|
||||||
|
$groups = init_groups_visitor($observer);
|
||||||
|
|
||||||
$gs = '<<>>'; // should be impossible to match
|
$gs = '<<>>'; // should be impossible to match
|
||||||
|
|
||||||
@ -219,12 +220,14 @@ function permissions_sql($owner_id,$remote_verified = false,$groups = null) {
|
|||||||
AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
|
AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
|
||||||
)
|
)
|
||||||
",
|
",
|
||||||
dbesc(protect_sprintf( '%<' . $remote_user . '>%')),
|
dbesc(protect_sprintf( '%<' . $observer . '>%')),
|
||||||
dbesc($gs),
|
dbesc($gs),
|
||||||
dbesc(protect_sprintf( '%<' . $remote_user . '>%')),
|
dbesc(protect_sprintf( '%<' . $observer . '>%')),
|
||||||
dbesc($gs)
|
dbesc($gs)
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return $sql;
|
return $sql;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -260,8 +263,10 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null)
|
|||||||
|
|
||||||
|
|
||||||
else {
|
else {
|
||||||
$observer = get_app()->get_observer();
|
$observer = get_observer_hash();
|
||||||
$groups = init_groups_visitor($remote_user);
|
|
||||||
|
if($observer) {
|
||||||
|
$groups = init_groups_visitor($observer);
|
||||||
|
|
||||||
$gs = '<<>>'; // should be impossible to match
|
$gs = '<<>>'; // should be impossible to match
|
||||||
|
|
||||||
@ -274,12 +279,13 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null)
|
|||||||
AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
|
AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
|
||||||
)
|
)
|
||||||
",
|
",
|
||||||
dbesc(protect_sprintf( '%<' . $remote_user . '>%')),
|
dbesc(protect_sprintf( '%<' . $observer . '>%')),
|
||||||
dbesc($gs),
|
dbesc($gs),
|
||||||
dbesc(protect_sprintf( '%<' . $remote_user . '>%')),
|
dbesc(protect_sprintf( '%<' . $observer . '>%')),
|
||||||
dbesc($gs)
|
dbesc($gs)
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
return $sql;
|
return $sql;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user