{1}
In the interest of fostering an open and welcoming environment, we as +contributors and maintainers pledge to making participation in our project and +our community a harassment-free experience for everyone, regardless of age, body +size, disability, ethnicity, gender identity and expression, level of experience, +nationality, personal appearance, race, religion, or sexual identity and +orientation.
+ +Examples of behavior that contributes to creating a positive environment +include:
+ +Examples of unacceptable behavior by participants include:
+ +Project maintainers are responsible for clarifying the standards of acceptable +behavior and are expected to take appropriate and fair corrective action in +response to any instances of unacceptable behavior.
+ +Project maintainers have the right and responsibility to remove, edit, or +reject comments, commits, code, wiki edits, issues, and other contributions +that are not aligned to this Code of Conduct, or to ban temporarily or +permanently any contributor for other behaviors that they deem inappropriate, +threatening, offensive, or harmful.
+ +This Code of Conduct applies both within project spaces and in public spaces +when an individual is representing the project or its community. Examples of +representing a project or community include using an official project e-mail +address, posting via an official social media account, or acting as an appointed +representative at an online or offline event. Representation of a project may be +further defined and clarified by project maintainers.
+ +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported by contacting the project team at project@hubzilla.org. All +complaints will be reviewed and investigated and will result in a response that +is deemed necessary and appropriate to the circumstances. The project team is +obligated to maintain confidentiality with regard to the reporter of an incident. +Further details of specific enforcement policies may be posted separately.
+ +Project maintainers who do not follow or enforce the Code of Conduct in good +faith may face temporary or permanent repercussions as determined by other +members of the project's leadership.
+ +This Code of Conduct is adapted from the Contributor Covenant, version 1.4, +available at http://contributor-covenant.org/version/1/4.
+ + + diff --git a/doc/develop.bb b/doc/develop.bb index ef3ea5bd0..7a7350049 100644 --- a/doc/develop.bb +++ b/doc/develop.bb @@ -27,5 +27,5 @@ [zrl=[baseurl]/help/dev_beginner]Step-for-step manual for beginning developers[/zrl] [h3]External Resources[/h3] -[url=https://zothub.com/channel/one]Development Channel[/url] +[url=https://grid.reticu.li/channel/hubzilla]Development Channel[/url] [url=https://federated.social/channel/postgres]Postgres-specific $Projectname Admin Support Channel[/url] diff --git a/doc/developers.bb b/doc/developers.bb index 6f7752577..c7cf66093 100644 --- a/doc/developers.bb +++ b/doc/developers.bb @@ -1,6 +1,6 @@ [b]$Projectname Developer Guide[/b] -We're pretty relaxed when it comes to developers. We don't have a lot of rules. Some of us are over-worked and if you want to help we're happy to let you help. That said, attention to a few guidelines will make the process smoother and make it easier to work together. We have developers from across the globe with different abilities and different cultural backgrounds and different levels of patience. Our primary rule is to respect others. Sometimes this is hard and sometimes we have very different opinions of how things should work, but if everybody makes an effort, we'll get along just fine. +We're pretty relaxed when it comes to developers. We don't have a lot of rules. Some of us are over-worked and if you want to help we're happy to let you help. That said, attention to a few guidelines will make the process smoother and make it easier to work together. All developers are expected to abide by our [zrl=[baseurl]/help/contributor/covenant]code of conduct[/zrl]. We have developers from across the globe with different abilities and different cultural backgrounds and different levels of patience. Our primary rule is to respect others. Sometimes this is hard and sometimes we have very different opinions of how things should work, but if everybody makes an effort, we'll get along just fine. [b]Here is how you can join us.[/b] diff --git a/doc/feature/access_tokens.bb b/doc/feature/access_tokens.bb new file mode 100644 index 000000000..eb5c03717 --- /dev/null +++ b/doc/feature/access_tokens.bb @@ -0,0 +1,47 @@ +Feature: Zot Access Tokens +Status: Draft +Date: 15 July 2016 + + +Purpose: + +In order to facilitate sharing of private resources with non-members or members of federation nodes with limited identification discovery, Hubzilla should provide members with a mechanism to create and manage temporary ("throwaway") logins, aka "Zot Access Tokens". These tokens/credentials may be used to authenticate to a hubzilla site for the sole purpose of accessing privileged or access controlled resources (files, photos, posts, webpages, chatrooms, etc.). + + +Scope: + +Zot Access Tokens do not convey membership in the site or network. In particular, they do not provide an account or channel; which may be necessary to interact with the hub owner or with others in the network or federation of networks. In most cases they can only be used to consume restricted resources and do not have an ability to create those resources, however this ability may be provided by custom configurations or in future releases or addons. + +For instance the ability for a temporary login to access a chatroom may provide suitable permission to create chat messages inside that chatroom. + + +Implementation: + +Zot Access Tokens are managed through a "tab" of the settings page. Access to this tab may be controlled by site configuration. On this page, channels may create, edit, list, and remove any access tokens under their control. + +The form to create/edit accepts three parameters, a human readable name, a password or access token, and an optional expiration. Once expired, the access token is no longer valid, may no longer be used, and will be automatically purged from the list of temporary accounts. The password field in the create/edit forms displays the text of the access token and not an obscured password. By default we will create a token using the autoname() function, which generally produces a random character sequence which is "pronounceable", hence easy to convey or remember. This can be changed to any other character sequence which is acceptable to the site password complexity policy. (In most Hubzilla installations this imposes a minimum of three characters, but may be extended by plugin or site policy). + + +Usage: + +We do not specify mechanisms for sharing these tokens with others. Any communication method may be used. Any tokens you have created are added to the Access Control List selector and may be used anywhere that Access Control Lists are provided. + + Example: A visitor arrives at your site. She has an access token you have provided, and attempts to visit one of your photo albums (which is restricted to be viewed only by yourself and one temporary identity). Permission is denied. + +The visitor now selects "Login" from the menu navigation bar. This presents a login page. She enters the name and password you have provided her, and she can now view the restricted photo album. + + +Alternatively, you may share a link to a protected file by adding a parameter "&zat=abc123" to the URL, where the string "abc123" is the access token or password for the temporary login. No further negotiation is required, and the file is presented. + +Zot Acess Tokens are represented internally as an authenticated "observer". Querying the observer in code should return a pseudo or system generated xchan with an unknown protocol and a default profile photo. It will match (successfully) any access control rule which allows authenticated observers. + +Security Considerations: + +The URL form of authentication is inherently less secure than using a login, but may be preferable for some uses of this feature. It probably should not be transmitted over non-SSL links. + + +Future development: + +It might be desirable for future implementations to provide an options for single-use, where the access token is removed promptly following first use. + + \ No newline at end of file diff --git a/include/acl_selectors.php b/include/acl_selectors.php index 9bee942e2..362776b44 100644 --- a/include/acl_selectors.php +++ b/include/acl_selectors.php @@ -148,11 +148,6 @@ function populate_acl($defaults = null,$show_jotnets = true, $emptyACL_descripti array_walk($deny_cid,'fixacl'); array_walk($deny_gid,'fixacl'); } - - $jotnets = ''; - if($show_jotnets) { - call_hooks('jot_networks', $jotnets); - } $r = q("SELECT id, hash, gname FROM groups WHERE deleted = 0 AND uid = %d ORDER BY gname ASC", intval(local_channel()) @@ -181,8 +176,6 @@ function populate_acl($defaults = null,$show_jotnets = true, $emptyACL_descripti '$allowgid' => json_encode($allow_gid), '$denycid' => json_encode($deny_cid), '$denygid' => json_encode($deny_gid), - '$jnetModalTitle' => t('Other networks and post services'), - '$jotnets' => $jotnets, '$aclModalTitle' => t('Permissions'), '$aclModalDesc' => $dialog_description, '$aclModalDismiss' => t('Close'), diff --git a/include/channel.php b/include/channel.php index 1179697a4..47db7e806 100644 --- a/include/channel.php +++ b/include/channel.php @@ -1381,6 +1381,11 @@ function zid($s,$address = '') { if (! strlen($s) || strpos($s,'zid=')) return $s; + $m = parse_url($s); + $fragment = ((array_key_exists('fragment',$m) && $m['fragment']) ? $m['fragment'] : false); + if($fragment !== false) + $s = str_replace('#' . $fragment,'',$s); + $has_params = ((strpos($s,'?')) ? true : false); $num_slashes = substr_count($s, '/'); if (! $has_params) @@ -1401,6 +1406,11 @@ function zid($s,$address = '') { else $zurl = $s; + // put fragment at the end + + if($fragment) + $zurl .= '#' . $fragment; + $arr = array('url' => $s, 'zid' => urlencode($myaddr), 'result' => $zurl); call_hooks('zid', $arr); diff --git a/include/conversation.php b/include/conversation.php index 7d1473fe2..637234bff 100644 --- a/include/conversation.php +++ b/include/conversation.php @@ -1200,8 +1200,6 @@ function status_editor($a, $x, $popup = false) { $tpl = get_markup_template('jot.tpl'); - $jotplugins = ''; - $preview = t('Preview'); if(x($x, 'hide_preview')) $preview = ''; @@ -1218,8 +1216,14 @@ function status_editor($a, $x, $popup = false) { if(! $cipher) $cipher = 'aes256'; + $jotplugins = ''; call_hooks('jot_tool', $jotplugins); + $jotnets = ''; + if(x($x,'jotnets')) { + call_hooks('jot_networks', $jotnets); + } + $o .= replace_macros($tpl, array( '$return_path' => ((x($x, 'return_path')) ? $x['return_path'] : App::$query_string), '$action' => z_root() . '/item', @@ -1276,6 +1280,8 @@ function status_editor($a, $x, $popup = false) { '$preview' => $preview, '$source' => ((x($x, 'source')) ? $x['source'] : ''), '$jotplugins' => $jotplugins, + '$jotnets' => $jotnets, + '$jotnets_label' => t('Other networks and post services'), '$defexpire' => $defexpire, '$feature_expire' => $feature_expire, '$expires' => t('Set expiration date'), diff --git a/include/items.php b/include/items.php index 91110eb07..ac746c189 100755 --- a/include/items.php +++ b/include/items.php @@ -1627,8 +1627,21 @@ function item_store($arr, $allow_exec = false, $deliver = true) { $arr['commented'] = ((x($arr,'commented') !== false) ? datetime_convert('UTC','UTC',$arr['commented']) : datetime_convert()); $arr['comments_closed'] = ((x($arr,'comments_closed') !== false) ? datetime_convert('UTC','UTC',$arr['comments_closed']) : NULL_DATE); - $arr['received'] = datetime_convert(); - $arr['changed'] = datetime_convert(); + if($deliver) { + $arr['received'] = datetime_convert(); + $arr['changed'] = datetime_convert(); + } + else { + + // When deliver flag is false, we are *probably* performing an import or bulk migration. + // If one updates the changed timestamp it will be made available to zotfeed and delivery + // will still take place through backdoor methods. Since these fields are rarely used + // otherwise, just preserve the original timestamp. + + $arr['received'] = ((x($arr,'received') !== false) ? datetime_convert('UTC','UTC',$arr['received']) : datetime_convert()); + $arr['changed'] = ((x($arr,'changed') !== false) ? datetime_convert('UTC','UTC',$arr['changed']) : datetime_convert()); + } + $arr['location'] = ((x($arr,'location')) ? notags(trim($arr['location'])) : ''); $arr['coord'] = ((x($arr,'coord')) ? notags(trim($arr['coord'])) : ''); $arr['parent_mid'] = ((x($arr,'parent_mid')) ? notags(trim($arr['parent_mid'])) : ''); @@ -2035,8 +2048,22 @@ function item_store_update($arr,$allow_exec = false, $deliver = true) { $arr['comments_closed'] = $orig[0]['comments_closed']; $arr['commented'] = $orig[0]['commented']; - $arr['received'] = datetime_convert(); - $arr['changed'] = datetime_convert(); + + if($deliver) { + $arr['received'] = datetime_convert(); + $arr['changed'] = datetime_convert(); + } + else { + + // When deliver flag is false, we are *probably* performing an import or bulk migration. + // If one updates the changed timestamp it will be made available to zotfeed and delivery + // will still take place through backdoor methods. Since these fields are rarely used + // otherwise, just preserve the original timestamp. + + $arr['received'] = $orig[0]['received']; + $arr['changed'] = $orig[0]['changed']; + } + $arr['route'] = ((array_key_exists('route',$arr)) ? trim($arr['route']) : $orig[0]['route']); $arr['diaspora_meta'] = ((x($arr,'diaspora_meta')) ? $arr['diaspora_meta'] : $orig[0]['diaspora_meta']); $arr['location'] = ((x($arr,'location')) ? notags(trim($arr['location'])) : $orig[0]['location']); diff --git a/include/plugin.php b/include/plugin.php index cb206d944..663d17959 100755 --- a/include/plugin.php +++ b/include/plugin.php @@ -404,6 +404,18 @@ function check_plugin_versions($info) { return false; } } + if(array_key_exists('serverroles',$info)) { + $role = \Zotlabs\Lib\System::get_server_role(); + if(! ( + stristr($info['serverroles'],'*') + || stristr($info['serverroles'],'any') + || stristr($info['serverroles'],$role))) { + logger('serverrole limit: ' . $info['name'],LOGGER_NORMAL,LOG_WARNING); + return false; + + } + } + if(array_key_exists('requires',$info)) { $arr = explode(',',$info['requires']); diff --git a/include/zot.php b/include/zot.php index 01b29f74b..c3c924113 100644 --- a/include/zot.php +++ b/include/zot.php @@ -3708,6 +3708,8 @@ function zotinfo($arr) { } } + $ztarget_hash = (($ztarget && $zsig) ? make_xchan_hash($ztarget,$zsig) : '' ); + $r = null; if(strlen($zhash)) { @@ -3783,11 +3785,11 @@ function zotinfo($arr) { if($role === 'forum' || $role === 'repository') { $public_forum = true; } - else { + elseif($ztarget_hash) { // check if it has characteristics of a public forum based on custom permissions. $t = q("select * from abconfig where abconfig.cat = 'my_perms' and abconfig.chan = %d and abconfig.xchan = '%s' and abconfig.k in ('tag_deliver', 'send_stream') ", intval($e['channel_id']), - dbesc($e['channel_hash']) + dbesc($ztarget_hash) ); $ch = 0; @@ -3889,9 +3891,6 @@ function zotinfo($arr) { $ret['follow_url'] = z_root() . '/follow?f=&url=%s'; - $ztarget_hash = (($ztarget && $zsig) - ? make_xchan_hash($ztarget,$zsig) - : '' ); $permissions = get_all_perms($e['channel_id'],$ztarget_hash,false); diff --git a/install/htconfig.sample.php b/install/htconfig.sample.php index e5c743ac1..f37b3dc79 100755 --- a/install/htconfig.sample.php +++ b/install/htconfig.sample.php @@ -47,9 +47,9 @@ App::$config['system']['location_hash'] = 'if the auto install failed, put a uni // Choices are 'basic', 'standard', and 'pro'. // basic sets up the sevrer for basic social networking and removes "complicated" features // standard provides most desired features except e-commerce -// pro gives you access to everything +// pro gives you access to everything, but removes cross-platform federation/emulation -App::$config['system']['server_role'] = 'pro'; +App::$config['system']['server_role'] = 'standard'; // These lines set additional security headers to be sent with all responses diff --git a/util/hmessages.po b/util/hmessages.po index 99a478c2e..ada834815 100644 --- a/util/hmessages.po +++ b/util/hmessages.po @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: \n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2016-08-12 00:02-0700\n" +"POT-Creation-Date: 2016-08-19 00:02-0700\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME