harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixing permissions_sql - may need more tweaks

Browse Source
This commit is contained in:
friendica 2012-12-16 03:38:04 -08:00
parent 00128955eb
commit 5d008a6923
2 changed files with 43 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
include/security.php
View File

@ -183,6 +183,7 @@ function permissions_sql($owner_id,$remote_verified = false,$groups = null) {
AND allow_gid = '' AND allow_gid = ''
AND deny_cid = '' AND deny_cid = ''
AND deny_gid = '' AND deny_gid = ''
"; ";
/** /**
@ -201,54 +202,31 @@ function permissions_sql($owner_id,$remote_verified = false,$groups = null) {
* done this and passed the groups into this function. * done this and passed the groups into this function.
*/ */
elseif($remote_user) {
if(! $remote_verified) { else {
$r = q("SELECT id FROM contact WHERE id = %d AND uid = %d AND blocked = 0 LIMIT 1", $observer = get_app()->get_observer();
intval($remote_user),
intval($owner_id)
);
if(count($r)) {
$remote_verified = true;
$groups = init_groups_visitor($remote_user); $groups = init_groups_visitor($remote_user);
}
}
if($remote_verified) {
$gs = '<<>>'; // should be impossible to match $gs = '<<>>'; // should be impossible to match
if(is_array($groups) && count($groups)) { if(is_array($groups) && count($groups)) {
foreach($groups as $g) foreach($groups as $g)
$gs .= '|<' . intval($g) . '>'; $gs .= '|<' . $g . '>';
} }
/*$sql = sprintf(
" AND ( allow_cid = '' OR allow_cid REGEXP '<%d>' )
AND ( deny_cid = '' OR NOT deny_cid REGEXP '<%d>' )
AND ( allow_gid = '' OR allow_gid REGEXP '%s' )
AND ( deny_gid = '' OR NOT deny_gid REGEXP '%s')
",
intval($remote_user),
intval($remote_user),
dbesc($gs),
dbesc($gs)
);*/
$sql = sprintf( $sql = sprintf(
" AND ( NOT (deny_cid REGEXP '<%d>' OR deny_gid REGEXP '%s') " AND ( NOT (deny_cid like '<%s>' OR deny_gid REGEXP '%s')
AND ( allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) AND ( allow_cid like '<%s>' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
) )
", ",
intval($remote_user), dbesc(protect_sprintf( '%' . $remote_user . '%')),
dbesc($gs), dbesc($gs),
intval($remote_user), dbesc(protect_sprintf( '%' . $remote_user . '%')),
dbesc($gs) dbesc($gs)
); );
} }
}
return $sql; return $sql;
} }
function item_permissions_sql($owner_id,$remote_verified = false,$groups = null) { function item_permissions_sql($owner_id,$remote_verified = false,$groups = null) {
$local_user = local_user(); $local_user = local_user();
@ -260,12 +238,8 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null)
* default permissions - anonymous user * default permissions - anonymous user
*/ */
$sql = " AND allow_cid = '' $sql = " AND not (item_flags & " . ITEM_PRIVATE . ") ";
AND allow_gid = ''
AND deny_cid = ''
AND deny_gid = ''
AND private = 0
";
/** /**
* Profile owner - everything is visible * Profile owner - everything is visible
@ -283,45 +257,33 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null)
* done this and passed the groups into this function. * done this and passed the groups into this function.
*/ */
elseif($remote_user) {
if(! $remote_verified) { else {
$r = q("SELECT id FROM contact WHERE id = %d AND uid = %d AND blocked = 0 LIMIT 1", $observer = get_app()->get_observer();
intval($remote_user),
intval($owner_id)
);
if(count($r)) {
$remote_verified = true;
$groups = init_groups_visitor($remote_user); $groups = init_groups_visitor($remote_user);
}
}
if($remote_verified) {
$gs = '<<>>'; // should be impossible to match $gs = '<<>>'; // should be impossible to match
if(is_array($groups) && count($groups)) { if(is_array($groups) && count($groups)) {
foreach($groups as $g) foreach($groups as $g)
$gs .= '|<' . intval($g) . '>'; $gs .= '|<' . $g . '>';
} }
$sql = sprintf( $sql = sprintf(
" AND ( private = 0 OR ( private = 1 AND wall = 1 AND ( allow_cid = '' OR allow_cid REGEXP '<%d>' ) " AND ( NOT (deny_cid like '<%s>' OR deny_gid REGEXP '%s')
AND ( deny_cid = '' OR NOT deny_cid REGEXP '<%d>' ) AND ( allow_cid like '<%s>' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
AND ( allow_gid = '' OR allow_gid REGEXP '%s' ) )
AND ( deny_gid = '' OR NOT deny_gid REGEXP '%s')))
", ",
intval($remote_user), dbesc(protect_sprintf( '%' . $remote_user . '%')),
intval($remote_user),
dbesc($gs), dbesc($gs),
dbesc(protect_sprintf( '%' . $remote_user . '%')),
dbesc($gs) dbesc($gs)
); );
} }
}
return $sql; return $sql;
} }
/* /*
* Functions used to protect against Cross-Site Request Forgery * Functions used to protect against Cross-Site Request Forgery
* The security token has to base on at least one value that an attacker can't know - here it's the session ID and the private key. * The security token has to base on at least one value that an attacker can't know - here it's the session ID and the private key.
@ -388,8 +350,7 @@ function check_form_security_token_ForbiddenOnErr($typename = '', $formname = 'f
if(! function_exists('init_groups_visitor')) { if(! function_exists('init_groups_visitor')) {
function init_groups_visitor($contact_id) { function init_groups_visitor($contact_id) {
$groups = array(); $groups = array();
$r = q("SELECT `gid` FROM `group_member` $r = q("SELECT gid FROM group_member WHERE xchan = '%s' ",
WHERE `contact-id` = %d ",
intval($contact_id) intval($contact_id)
); );
if(count($r)) { if(count($r)) {

2
mod/channel.php
View File

@ -127,7 +127,7 @@ function channel_content(&$a, $update = 0, $load = false) {
* Get permissions SQL - if $remote_contact is true, our remote user has been pre-verified and we already have fetched his/her groups * Get permissions SQL - if $remote_contact is true, our remote user has been pre-verified and we already have fetched his/her groups
*/ */
// fixme
$sql_extra = item_permissions_sql($a->profile['profile_uid'],$remote_contact,$groups); $sql_extra = item_permissions_sql($a->profile['profile_uid'],$remote_contact,$groups);