fixes for display and search privacy enforcement

include/security.php

@@ -302,6 +302,8 @@ function public_permissions_sql($observer_hash) {
 		foreach($groups as $g)
 			$gs .= '|<' . $g . '>';
 	} 
+	$sql = '';
+	if($observer_hash) {
 		$sql = sprintf(
 			" OR (( NOT (deny_cid like '%s' OR deny_gid REGEXP '%s')
 			  AND ( allow_cid like '%s' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
@@ -312,6 +314,7 @@ function public_permissions_sql($observer_hash) {
 			dbesc(protect_sprintf( '%<' . $observer_hash . '>%')),
 			dbesc($gs)
 		);
+	}
 
 	return $sql;
 }
@@ -424,6 +427,29 @@ function stream_perms_api_uids($perms_min = PERMS_SITE) {
 				$str .= ',';
 			$str .= intval($rr); 
 		}
+logger('stream_perms_api_uids: ' . $str);
 	return $str;
 }
 
+function stream_perms_xchans($perms_min = PERMS_SITE) {
+	$ret = array();
+	if(local_user())
+		$ret[] = get_observer_hash();
+	$r = q("select channel_hash from channel where channel_r_stream <= %d",
+		intval($perms_min)
+	);
+	if($r)
+		foreach($r as $rr)
+			if(! in_array($rr['channel_hash'],$ret))
+				$ret[] = $rr['channel_hash']; 
+
+	$str = '';
+	if($ret)
+		foreach($ret as $rr) {
+			if($str)
+				$str .= ',';
+			$str .= "'" . dbesc($rr) . "'"; 
+		}
+logger('stream_perms_xchans: ' . $str);
+	return $str;
+}

mod/display.php

@@ -113,16 +113,18 @@ function display_content(&$a, $update = 0, $load = false) {
 				}
 			}
 			if($r === null) {
+dbg(1);
 				$r = q("SELECT * from item
 					WHERE item_restrict = 0
 					and mid = '%s'
 					AND ((( `item`.`allow_cid` = ''  AND `item`.`allow_gid` = '' AND `item`.`deny_cid`  = '' 
 					AND `item`.`deny_gid`  = '' AND item_private = 0 ) 
-					and uid in ( " . stream_perms_api_uids() . " ))
+					and owner_xchan in ( " . stream_perms_xchans() . " ))
 					$sql_extra )
 					group by mid limit 1",
 					dbesc($target_item['parent_mid'])
 				);
+dbg(0);
 			}
 
 		}

mod/search.php

@@ -183,13 +183,16 @@ function search_content(&$a,$update = 0, $load = false) {
 
 	}
 
-
+	$pub_sql = public_permissions_sql(get_observer_hash());
 
 	if(($update) && ($load)) {
 		$pager_sql = sprintf(" LIMIT %d, %d ",intval($a->pager['start']), intval($a->pager['itemspage']));
-dbg(1);
+
 		if($load) {
-			$r = q("SELECT distinct mid, id as item_id from item
+			$r = null;
+
+			if(local_user()) {
+				$r = q("SELECT distinct mid, item.* from item
 					WHERE item_restrict = 0
 					AND (( `item`.`allow_cid` = ''  AND `item`.`allow_gid` = '' AND `item`.`deny_cid`  = '' AND `item`.`deny_gid`  = '' AND item_private = 0 ) 
 					OR ( `item`.`uid` = %d ))
@@ -199,7 +202,18 @@ dbg(1);
 					intval(ABOOK_FLAG_BLOCKED)
 
 				);
-dbg(0);
+			}
+			if($r === null) {
+               $r = q("SELECT distinct mid, item.* from item
+                    WHERE item_restrict = 0
+                    AND ((( `item`.`allow_cid` = ''  AND `item`.`allow_gid` = '' AND `item`.`deny_cid`  = ''
+                    AND `item`.`deny_gid`  = '' AND item_private = 0 )
+                    and owner_xchan in ( " . stream_perms_xchans() . " ))
+					$pub_sql )
+                    $sql_extra 
+                    group by mid ORDER BY created DESC $pager_sql"
+                );
+			}
 		}
 		else {
 			$r = array();
@@ -208,19 +222,17 @@ dbg(0);
 
 	if($r) {
 
-		$parents_str = ids_to_querystr($r,'item_id');
-dbg(1); 
-		$items = q("SELECT `item`.*, `item`.`id` AS `item_id` 
-			FROM `item`
-			WHERE item_restrict = 0 
-			$sql_extra and parent in ( $parents_str ) "
-//			intval($a->profile['profile_uid']),
-//			dbesc($parents_str)
-		);
-dbg(0);
-		xchan_query($items);
-		$items = fetch_post_tags($items,true);
-		$items = conv_sort($items,'created');
+//		$parents_str = ids_to_querystr($r,'item_id');
+
+//		$items = q("SELECT `item`.*, `item`.`id` AS `item_id` 
+//			FROM `item`
+//			WHERE item_restrict = 0 
+//			$sql_extra and parent in ( $parents_str ) "
+//		);
+
+		xchan_query($r);
+		$items = fetch_post_tags($r,true);
+//		$items = conv_sort($items,'created');
 
 	} else {
 		$items = array();