attachment permissions not right

2013-07-30 19:43:46 -07:00 · 2013-07-30 19:43:46 -07:00 · 41c411739f
commit 41c411739f
parent cb4d61e092
2 changed files with 42 additions and 36 deletions
--- a/include/attach.php
+++ b/include/attach.php
@ -193,13 +193,13 @@ function attach_by_hash($hash,$rev = 0) {
 	$sql_extra = permissions_sql($r[0]['uid']);

 	// Now we'll see if we can access the attachment
-
+dbg(1);

 	$r = q("SELECT * FROM attach WHERE hash = '%s' and uid = %d $sql_extra LIMIT 1",
 		dbesc($hash),
 		intval($r[0]['uid'])
 	);
-
+dbg(0);
 	if(! $r) {
 		$ret['message'] =  t('Permission denied.');
 		return $ret;
--- a/include/security.php
+++ b/include/security.php
@ -205,26 +205,29 @@ function permissions_sql($owner_id,$remote_verified = false,$groups = null) {


 	else {
-		$observer = get_app()->get_observer();
-		$groups = init_groups_visitor($remote_user);
+		$observer = get_observer_hash();
+		if($observer) {
+			$groups = init_groups_visitor($observer);

-		$gs = '<<>>'; // should be impossible to match
+			$gs = '<<>>'; // should be impossible to match

-		if(is_array($groups) && count($groups)) {
-			foreach($groups as $g)
-				$gs .= '|<' . $g . '>';
+			if(is_array($groups) && count($groups)) {
+				foreach($groups as $g)
+					$gs .= '|<' . $g . '>';
+			} 
+			$sql = sprintf(
+				" AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
+				  AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
+				  )
+				",
+				dbesc(protect_sprintf( '%<' . $observer . '>%')),
+				dbesc($gs),
+				dbesc(protect_sprintf( '%<' . $observer . '>%')),
+				dbesc($gs)
+			);
 		}
-		$sql = sprintf(
-			" AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
-			  AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
-			  )
-			",
-			dbesc(protect_sprintf( '%<' . $remote_user . '>%')),
-			dbesc($gs),
-			dbesc(protect_sprintf( '%<' . $remote_user . '>%')),
-			dbesc($gs)
-		);
 	}
+
 	return $sql;
 }

@ -260,25 +263,28 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null)


 	else {
-		$observer = get_app()->get_observer();
-		$groups = init_groups_visitor($remote_user);
+		$observer = get_observer_hash();

-		$gs = '<<>>'; // should be impossible to match
+		if($observer) {
+			$groups = init_groups_visitor($observer);

-		if(is_array($groups) && count($groups)) {
-			foreach($groups as $g)
-				$gs .= '|<' . $g . '>';
+			$gs = '<<>>'; // should be impossible to match
+
+			if(is_array($groups) && count($groups)) {
+				foreach($groups as $g)
+					$gs .= '|<' . $g . '>';
+			} 
+			$sql = sprintf(
+				" AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
+				  AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
+				  )
+				",
+				dbesc(protect_sprintf( '%<' . $observer . '>%')),
+				dbesc($gs),
+				dbesc(protect_sprintf( '%<' . $observer . '>%')),
+				dbesc($gs)
+			);
 		}
-		$sql = sprintf(
-			" AND ( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
-			  AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
-			  )
-			",
-			dbesc(protect_sprintf( '%<' . $remote_user . '>%')),
-			dbesc($gs),
-			dbesc(protect_sprintf( '%<' . $remote_user . '>%')),
-			dbesc($gs)
-		);
 	}
 	return $sql;
 }