harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixes for display and search privacy enforcement

Browse Source
This commit is contained in:
friendica 2013-09-22 22:52:48 -07:00
parent 3ff9642750
commit 956d275693
3 changed files with 77 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
include/security.php
View File

@ -302,16 +302,19 @@ function public_permissions_sql($observer_hash) {
foreach($groups as $g) foreach($groups as $g)
$gs .= '|<' . $g . '>'; $gs .= '|<' . $g . '>';
} }
$sql = sprintf( $sql = '';
" OR (( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s') if($observer_hash) {
AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) $sql = sprintf(
)) " OR (( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
", AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
dbesc(protect_sprintf( '%<' . $observer_hash . '>%')), ))
dbesc($gs), ",
dbesc(protect_sprintf( '%<' . $observer_hash . '>%')), dbesc(protect_sprintf( '%<' . $observer_hash . '>%')),
dbesc($gs) dbesc($gs),
); dbesc(protect_sprintf( '%<' . $observer_hash . '>%')),
dbesc($gs)
);
}
return $sql; return $sql;
} }
@ -424,6 +427,29 @@ function stream_perms_api_uids($perms_min = PERMS_SITE) {
$str .= ','; $str .= ',';
$str .= intval($rr); $str .= intval($rr);
} }
logger('stream_perms_api_uids: ' . $str);
return $str; return $str;
} }
function stream_perms_xchans($perms_min = PERMS_SITE) {
$ret = array();
if(local_user())
$ret[] = get_observer_hash();
$r = q("select channel_hash from channel where channel_r_stream <= %d",
intval($perms_min)
);
if($r)
foreach($r as $rr)
if(! in_array($rr['channel_hash'],$ret))
$ret[] = $rr['channel_hash'];
$str = '';
if($ret)
foreach($ret as $rr) {
if($str)
$str .= ',';
$str .= "'" . dbesc($rr) . "'";
}
logger('stream_perms_xchans: ' . $str);
return $str;
}

4
mod/display.php
View File

@ -113,16 +113,18 @@ function display_content(&$a, $update = 0, $load = false) {
} }
} }
if($r === null) { if($r === null) {
dbg(1);
$r = q("SELECT * from item $r = q("SELECT * from item
WHERE item_restrict = 0 WHERE item_restrict = 0
and mid = '%s' and mid = '%s'
AND ((( `item`.`allow_cid` = '' AND `item`.`allow_gid` = '' AND `item`.`deny_cid` = '' AND ((( `item`.`allow_cid` = '' AND `item`.`allow_gid` = '' AND `item`.`deny_cid` = ''
AND `item`.`deny_gid` = '' AND item_private = 0 ) AND `item`.`deny_gid` = '' AND item_private = 0 )
and uid in ( " . stream_perms_api_uids() . " )) and owner_xchan in ( " . stream_perms_xchans() . " ))
$sql_extra ) $sql_extra )
group by mid limit 1", group by mid limit 1",
dbesc($target_item['parent_mid']) dbesc($target_item['parent_mid'])
); );
dbg(0);
} }
} }

64
mod/search.php
View File

@ -183,23 +183,37 @@ function search_content(&$a,$update = 0, $load = false) {
} }
$pub_sql = public_permissions_sql(get_observer_hash());
if(($update) && ($load)) { if(($update) && ($load)) {
$pager_sql = sprintf(" LIMIT %d, %d ",intval($a->pager['start']), intval($a->pager['itemspage'])); $pager_sql = sprintf(" LIMIT %d, %d ",intval($a->pager['start']), intval($a->pager['itemspage']));
dbg(1);
if($load) {
$r = q("SELECT distinct mid, id as item_id from item
WHERE item_restrict = 0
AND (( `item`.`allow_cid` = '' AND `item`.`allow_gid` = '' AND `item`.`deny_cid` = '' AND `item`.`deny_gid` = '' AND item_private = 0 )
OR ( `item`.`uid` = %d ))
$sql_extra
group by mid ORDER BY created DESC $pager_sql ",
intval(local_user()),
intval(ABOOK_FLAG_BLOCKED)
); if($load) {
dbg(0); $r = null;
if(local_user()) {
$r = q("SELECT distinct mid, item.* from item
WHERE item_restrict = 0
AND (( `item`.`allow_cid` = '' AND `item`.`allow_gid` = '' AND `item`.`deny_cid` = '' AND `item`.`deny_gid` = '' AND item_private = 0 )
OR ( `item`.`uid` = %d ))
$sql_extra
group by mid ORDER BY created DESC $pager_sql ",
intval(local_user()),
intval(ABOOK_FLAG_BLOCKED)
);
}
if($r === null) {
$r = q("SELECT distinct mid, item.* from item
WHERE item_restrict = 0
AND ((( `item`.`allow_cid` = '' AND `item`.`allow_gid` = '' AND `item`.`deny_cid` = ''
AND `item`.`deny_gid` = '' AND item_private = 0 )
and owner_xchan in ( " . stream_perms_xchans() . " ))
$pub_sql )
$sql_extra
group by mid ORDER BY created DESC $pager_sql"
);
}
} }
else { else {
$r = array(); $r = array();
@ -208,19 +222,17 @@ dbg(0);
if($r) { if($r) {
$parents_str = ids_to_querystr($r,'item_id'); // $parents_str = ids_to_querystr($r,'item_id');
dbg(1);
$items = q("SELECT `item`.*, `item`.`id` AS `item_id` // $items = q("SELECT `item`.*, `item`.`id` AS `item_id`
FROM `item` // FROM `item`
WHERE item_restrict = 0 // WHERE item_restrict = 0
$sql_extra and parent in ( $parents_str ) " // $sql_extra and parent in ( $parents_str ) "
// intval($a->profile['profile_uid']), // );
// dbesc($parents_str)
); xchan_query($r);
dbg(0); $items = fetch_post_tags($r,true);
xchan_query($items); // $items = conv_sort($items,'created');
$items = fetch_post_tags($items,true);
$items = conv_sort($items,'created');
} else { } else {
$items = array(); $items = array();