finally fix recursive attachments permissions

2017-08-01 23:20:39 +02:00 · 2017-08-01 23:20:39 +02:00 · 599b395e24
commit 599b395e24
parent aa766b53d6
1 changed files with 79 additions and 54 deletions
--- a/include/attach.php
+++ b/include/attach.php
@ -1605,7 +1605,10 @@ function file_activity($channel_id, $object, $allow_cid, $allow_gid, $deny_cid,
 		$folder_hash = $object['folder'];
-		$r_perms = recursive_activity_recipients($arr_allow_cid, $arr_allow_gid, $arr_deny_cid, $arr_deny_gid, $folder_hash);
+		$r_perms = attach_recursive_perms($arr_allow_cid, $arr_allow_gid, $arr_deny_cid, $arr_deny_gid, $folder_hash);
 		if($r_perms === false) //nobody has recursive perms - nobody must be notified
 			return;
 		//split up returned perms
 		$arr_allow_cid = $r_perms['allow_cid'];
@ -1768,7 +1771,7 @@ function get_file_activity_object($channel_id, $hash, $url) {
 }
 /**
- * @brief Returns array of channels which have recursive permission for a file
+ * @brief Returns recursive permissions array or false if nobody has recursive permissions
 *
 * @param array $arr_allow_cid
 * @param array $arr_allow_gid
@ -1776,19 +1779,20 @@ function get_file_activity_object($channel_id, $hash, $url) {
 * @param array $arr_deny_gid
 * @param string $folder_hash
 */
-function recursive_activity_recipients($arr_allow_cid, $arr_allow_gid, $arr_deny_cid, $arr_deny_gid, $folder_hash) {
+function attach_recursive_perms($arr_allow_cid, $arr_allow_gid, $arr_deny_cid, $arr_deny_gid, $folder_hash) {
 	$ret = array();
 	$parent_arr = array();
 	$count_values = array();
 	$poster = App::get_observer();
-	//turn allow_gid into allow_cid's
+	//lookup all channels in sharee group and add them to sharee $arr_allow_cid
-	foreach($arr_allow_gid as $gid) {
+	if($arr_allow_gid) {
-		$in_group = group_get_members($gid);
+		$in_group = expand_groups($arr_allow_gid);
 		$arr_allow_cid = array_unique(array_merge($arr_allow_cid, $in_group));
 	}
 	//count existing parent folders - we will compare to that count later
 	$count = 0;
 	while($folder_hash) {
 		$x = q("SELECT allow_cid, allow_gid, deny_cid, deny_gid, folder FROM attach WHERE hash = '%s' LIMIT 1",
@ -1797,30 +1801,20 @@ function recursive_activity_recipients($arr_allow_cid, $arr_allow_gid, $arr_deny
 		//only process private folders
 		if($x[0]['allow_cid'] || $x[0]['allow_gid'] || $x[0]['deny_cid'] || $x[0]['deny_gid']) {
 			$parent_arr['allow_cid'][] = expand_acl($x[0]['allow_cid']);
 			$parent_arr['allow_gid'][] = expand_acl($x[0]['allow_gid']);
 			/**
 			 * @TODO should find a much better solution for the allow_cid <-> allow_gid problem.
 			 * Do not use allow_gid for now. Instead lookup the members of the group directly and add them to allow_cid.
 			 * */
 			if($parent_arr['allow_gid']) {
 				foreach($parent_arr['allow_gid'][$count] as $gid) {
 					$in_group = group_get_members($gid);
 					$parent_arr['allow_cid'][$count] = array_unique(array_merge($parent_arr['allow_cid'][$count], $in_group));
 				}
 			}
 			$parent_arr['deny_cid'][] = expand_acl($x[0]['deny_cid']);
 			$parent_arr['deny_gid'][] = expand_acl($x[0]['deny_gid']);
 			//this is the number of all existing parent folders - we will compare to that count later
 			$count++;
 		}
 		$folder_hash = $x[0]['folder'];
 	}
 	//logger(EOL . 'parent_arr: ' . print_r($parent_arr,true));
 	//if none of the parent folders is private just return file perms
 	if(!$parent_arr['allow_cid'] && !$parent_arr['allow_gid'] && !$parent_arr['deny_cid'] && !$parent_arr['deny_gid']) {
 		$ret['allow_gid'] = $arr_allow_gid;
@ -1831,7 +1825,7 @@ function recursive_activity_recipients($arr_allow_cid, $arr_allow_gid, $arr_deny
 		return $ret;
 	}
-	//if there are no perms on the file we get them from the first parent folder
+	//if there are no perms on the file we will work with the perms from the first parent folder
 	if(!$arr_allow_cid && !$arr_allow_gid && !$arr_deny_cid && !$arr_deny_gid) {
 		$arr_allow_cid = $parent_arr['allow_cid'][0];
 		$arr_allow_gid = $parent_arr['allow_gid'][0];
@ -1839,51 +1833,82 @@ function recursive_activity_recipients($arr_allow_cid, $arr_allow_gid, $arr_deny
 		$arr_deny_gid = $parent_arr['deny_gid'][0];
 	}
-	//allow_cid
+
-	$r_arr_allow_cid = false;
+	/***
-	foreach ($parent_arr['allow_cid'] as $folder_arr_allow_cid) {
+	*
-		foreach ($folder_arr_allow_cid as $ac_hash) {
+	* check if sharee has perms for all parent folders
-			$count_values[$ac_hash]++;
+	*
 	***/
 	$r_arr_allow_cid = [];
 	if($parent_arr['allow_cid']) {
 		//check sharee arr_allow_cid against allow_cid of all parent folders
 		foreach($parent_arr['allow_cid'] as $folder_arr_allow_cid) {
 			foreach($folder_arr_allow_cid as $ac_hash) {
 				$count_values[$ac_hash]++;
 			}
 		}
-	}
+		foreach($arr_allow_cid as $fac_hash) {
-	foreach ($arr_allow_cid as $fac_hash) {
+			if($count_values[$fac_hash] == $count)
-		if($count_values[$fac_hash] == $count)
+				$r_arr_allow_cid[] = $fac_hash;
-			$r_arr_allow_cid[] = $fac_hash;
+		}
 		//logger(EOL . 'r_arr_allow_cid: ' . print_r($r_arr_allow_cid,true));
 	}
-	//allow_gid
+	if($parent_arr['allow_gid']) {
-	$r_arr_allow_gid = false;
+		//check sharee arr_allow_cid against members of allow_gid of all parent folders
-	foreach ($parent_arr['allow_gid'] as $folder_arr_allow_gid) {
+		foreach($parent_arr['allow_gid'] as $folder_arr_allow_gid) {
-		foreach ($folder_arr_allow_gid as $ag_hash) {
+			//get the group members
-			$count_values[$ag_hash]++;
+			$folder_arr_allow_cid = expand_groups($folder_arr_allow_gid);
 			foreach($folder_arr_allow_cid as $ac_hash) {
 				$count_values[$ac_hash]++;
 			}
 		}
 		foreach($arr_allow_cid as $fac_hash) {
 			if($count_values[$fac_hash] == $count)
 				$r_arr_allow_cid[] = $fac_hash;
 		}
 		//logger(EOL . 'groups - r_arr_allow_cid: ' . print_r($r_arr_allow_cid,true));
 	}
-	foreach ($arr_allow_gid as $fag_hash) {
+
-		if($count_values[$fag_hash] == $count)
+
-			$r_arr_allow_gid[] = $fag_hash;
+	/***
 	*
 	* check if sharee is denied somewhere in parent folders and deny him if so
 	*
 	***/
 	//deny_cid
 	$r_arr_deny_cid = [];
 	if($parent_arr['deny_cid']) {
 		foreach($parent_arr['deny_cid'] as $folder_arr_deny_cid) {
 			$r_arr_deny_cid = array_merge($arr_deny_cid, $folder_arr_deny_cid);
 		}
 		$r_arr_deny_cid = array_unique($r_arr_deny_cid);
 		//logger(EOL . 'r_arr_deny_cid: ' . print_r($r_arr_deny_cid,true));
 	}
 	//deny_gid
-	foreach($parent_arr['deny_gid'] as $folder_arr_deny_gid) {
+	$r_arr_deny_gid = [];
 		$r_arr_deny_gid = array_merge($arr_deny_gid, $folder_arr_deny_gid);
 	}
 	$r_arr_deny_gid = array_unique($r_arr_deny_gid);
-	//deny_cid
+	if($parent_arr['deny_cid']) {
-	foreach($parent_arr['deny_cid'] as $folder_arr_deny_cid) {
+		foreach($parent_arr['deny_gid'] as $folder_arr_deny_gid) {
-		$r_arr_deny_cid = array_merge($arr_deny_cid, $folder_arr_deny_cid);
+			$r_arr_deny_gid = array_merge($arr_deny_gid, $folder_arr_deny_gid);
 		}
 		$r_arr_deny_gid = array_unique($r_arr_deny_gid);
 		//logger(EOL . 'r_arr_deny_gid: ' . print_r($r_arr_dr_arr_deny_gideny_cid,true));
 	}
 	$r_arr_deny_cid = array_unique($r_arr_deny_cid);
-	//if none is allowed restrict to self
+	//if no channel is allowed return false
-	if(($r_arr_allow_gid === false) && ($r_arr_allow_cid === false)) {
+	if(! $r_arr_allow_cid)
-		$ret['allow_cid'] = [$poster['xchan_hash']];
+		return false;
-	} else {
+
-		$ret['allow_gid'] = $r_arr_allow_gid;
+	$ret['allow_gid'] = []; // eventual group members are already collected in $r_arr_allow_cid
-		$ret['allow_cid'] = $r_arr_allow_cid;
+	$ret['allow_cid'] = $r_arr_allow_cid;
-		$ret['deny_gid'] = $r_arr_deny_gid;
+	$ret['deny_gid'] = $r_arr_deny_gid;
-		$ret['deny_cid'] = $r_arr_deny_cid;
+	$ret['deny_cid'] = $r_arr_deny_cid;
 	}
 	return $ret;
 }