cache result of (expensive) security check for visitor rights
begin tightening x-profile security
This commit is contained in:
		| @@ -2,8 +2,11 @@ | |||||||
|  |  | ||||||
| function can_write_wall(&$a,$owner) { | function can_write_wall(&$a,$owner) { | ||||||
|  |  | ||||||
|  | 	static $verified = 0; | ||||||
|  |  | ||||||
| 	if((! (local_user())) && (! (remote_user()))) | 	if((! (local_user())) && (! (remote_user()))) | ||||||
| 		return false; | 		return false; | ||||||
|  |  | ||||||
| 	$uid = local_user(); | 	$uid = local_user(); | ||||||
|  |  | ||||||
| 	if(($uid) && ($uid == $owner)) { | 	if(($uid) && ($uid == $owner)) { | ||||||
| @@ -11,6 +14,15 @@ function can_write_wall(&$a,$owner) { | |||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	if(remote_user()) { | 	if(remote_user()) { | ||||||
|  |  | ||||||
|  | 		// user remembered decision and avoid a DB lookup for each and every display item | ||||||
|  | 		// DO NOT use this function if there are going to be multiple owners | ||||||
|  |  | ||||||
|  | 		if($verified === 2) | ||||||
|  | 			return true; | ||||||
|  | 		elseif($verified === 1) | ||||||
|  | 			return false; | ||||||
|  | 		else { | ||||||
| 			$r = q("SELECT `contact`.*, `user`.`page-flags` FROM `contact` LEFT JOIN `user` on `user`.`uid` = `contact`.`uid`  | 			$r = q("SELECT `contact`.*, `user`.`page-flags` FROM `contact` LEFT JOIN `user` on `user`.`uid` = `contact`.`uid`  | ||||||
| 				WHERE `contact`.`uid` = %d AND `contact`.`id` = %d AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0  | 				WHERE `contact`.`uid` = %d AND `contact`.`id` = %d AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0  | ||||||
| 				AND `readonly` = 0  AND ( `contact`.`rel` IN ( %d , %d ) OR `user`.`page-flags` = %d ) LIMIT 1", | 				AND `readonly` = 0  AND ( `contact`.`rel` IN ( %d , %d ) OR `user`.`page-flags` = %d ) LIMIT 1", | ||||||
| @@ -20,11 +32,15 @@ function can_write_wall(&$a,$owner) { | |||||||
| 				intval(REL_BUD), | 				intval(REL_BUD), | ||||||
| 				intval(PAGE_COMMUNITY) | 				intval(PAGE_COMMUNITY) | ||||||
| 			); | 			); | ||||||
| 		} | 			if(count($r)) { | ||||||
| 		if(count($r)) | 				$verified = 2; | ||||||
| 				return true; | 				return true; | ||||||
|  | 			} | ||||||
|  | 			else { | ||||||
|  | 				$verified = 1; | ||||||
|  | 			} | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  |  | ||||||
| 	return false; | 	return false; | ||||||
|  |  | ||||||
| } | } | ||||||
|   | |||||||
| @@ -10,6 +10,7 @@ function dfrn_poll_init(&$a) { | |||||||
| 	$type            = ((x($_GET,'type'))            ? $_GET['type']                 : ''); | 	$type            = ((x($_GET,'type'))            ? $_GET['type']                 : ''); | ||||||
| 	$last_update     = ((x($_GET,'last_update'))     ? $_GET['last_update']          : ''); | 	$last_update     = ((x($_GET,'last_update'))     ? $_GET['last_update']          : ''); | ||||||
| 	$destination_url = ((x($_GET,'destination_url')) ? $_GET['destination_url']      : ''); | 	$destination_url = ((x($_GET,'destination_url')) ? $_GET['destination_url']      : ''); | ||||||
|  | 	$sec             = ((x($_GET,'sec'))             ? intval($_GET['sec'])          : 0); | ||||||
| 	$dfrn_version    = ((x($_GET,'dfrn_version'))    ? (float) $_GET['dfrn_version'] : 0); | 	$dfrn_version    = ((x($_GET,'dfrn_version'))    ? (float) $_GET['dfrn_version'] : 0); | ||||||
|  |  | ||||||
|  |  | ||||||
| @@ -212,18 +213,11 @@ function dfrn_poll_post(&$a) { | |||||||
|  |  | ||||||
| function dfrn_poll_content(&$a) { | function dfrn_poll_content(&$a) { | ||||||
|  |  | ||||||
|  | 	$dfrn_id      = ((x($_GET,'dfrn_id'))      ? $_GET['dfrn_id']              : ''); | ||||||
| 	$dfrn_id = ''; | 	$type         = ((x($_GET,'type'))         ? $_GET['type']                 : 'data'); | ||||||
| 	$type = 'data'; | 	$last_update  = ((x($_GET,'last_update'))  ? $_GET['last_update']          : ''); | ||||||
|  | 	$dfrn_version = ((x($_GET,'dfrn_version')) ? (float) $_GET['dfrn_version'] : 2.0); | ||||||
| 	if(x($_GET,'dfrn_id')) | 	$sec          = ((x($_GET,'sec'))          ? intval($_GET['sec'])          : 0); | ||||||
| 		$dfrn_id = $_GET['dfrn_id']; |  | ||||||
| 	if(x($_GET,'type')) |  | ||||||
| 		$type = $_GET['type']; |  | ||||||
| 	if(x($_GET,'last_update')) |  | ||||||
| 		$last_update = $_GET['last_update']; |  | ||||||
|  |  | ||||||
| 	$dfrn_version = (float) $_GET['dfrn_version']; |  | ||||||
|  |  | ||||||
| 	$direction = (-1); | 	$direction = (-1); | ||||||
| 	if(strpos($dfrn_id,':') == 1) { | 	if(strpos($dfrn_id,':') == 1) { | ||||||
| @@ -249,7 +243,6 @@ function dfrn_poll_content(&$a) { | |||||||
| 			dbesc($last_update) | 			dbesc($last_update) | ||||||
| 		); | 		); | ||||||
|  |  | ||||||
|  |  | ||||||
| 		$sql_extra = ''; | 		$sql_extra = ''; | ||||||
| 		switch($direction) { | 		switch($direction) { | ||||||
| 			case (-1): | 			case (-1): | ||||||
| @@ -269,9 +262,6 @@ function dfrn_poll_content(&$a) { | |||||||
| 				break; // NOTREACHED | 				break; // NOTREACHED | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
|  |  | ||||||
| 		$r = q("SELECT * FROM `contact` WHERE `blocked` = 0 AND `pending` = 0 $sql_extra LIMIT 1"); | 		$r = q("SELECT * FROM `contact` WHERE `blocked` = 0 AND `pending` = 0 $sql_extra LIMIT 1"); | ||||||
|  |  | ||||||
| 		if(count($r)) { | 		if(count($r)) { | ||||||
| @@ -296,6 +286,7 @@ function dfrn_poll_content(&$a) { | |||||||
| 		else { | 		else { | ||||||
| 			$status = 1; | 			$status = 1; | ||||||
| 		} | 		} | ||||||
|  |  | ||||||
| 		header("Content-type: text/xml"); | 		header("Content-type: text/xml"); | ||||||
| 		echo '<?xml version="1.0" encoding="UTF-8"?>' . "\r\n" | 		echo '<?xml version="1.0" encoding="UTF-8"?>' . "\r\n" | ||||||
| 			. '<dfrn_poll>' . "\r\n" | 			. '<dfrn_poll>' . "\r\n" | ||||||
|   | |||||||
| @@ -27,6 +27,6 @@ function redir_init(&$a) { | |||||||
| 		dbesc($dfrn_id), | 		dbesc($dfrn_id), | ||||||
| 		intval(time() + 45)); | 		intval(time() + 45)); | ||||||
| 	goaway ($r[0]['poll'] . '?dfrn_id=' . $dfrn_id  | 	goaway ($r[0]['poll'] . '?dfrn_id=' . $dfrn_id  | ||||||
| 		. '&dfrn_version=' . DFRN_PROTOCOL_VERSION . '&type=profile'); | 		. '&dfrn_version=' . DFRN_PROTOCOL_VERSION . '&type=profile&sec=1'); | ||||||
| 	 | 	 | ||||||
| } | } | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user