only let visitors remove their own files.

2014-01-09 19:20:10 -08:00 · 2014-01-09 19:20:10 -08:00 · a309bc0d47
commit a309bc0d47
parent 49882f2be4
5 changed files with 35 additions and 12 deletions
--- a/boot.php
+++ b/boot.php
@ -46,7 +46,7 @@ define ( 'RED_PLATFORM',            'Red Matrix' );
 define ( 'RED_VERSION',             trim(file_get_contents('version.inc')) . 'R');
 define ( 'ZOT_REVISION',            1     ); 

-define ( 'DB_UPDATE_VERSION',       1089  );
+define ( 'DB_UPDATE_VERSION',       1090  );

 define ( 'EOL',                    '<br />' . "\r\n"     );
 define ( 'ATOM_TIME',              'Y-m-d\TH:i:s\Z' );
--- a/include/attach.php
+++ b/include/attach.php
@ -237,7 +237,7 @@ function attach_by_hash_nodata($hash,$rev = 0) {

 	// Now we'll see if we can access the attachment

-	$r = q("select id, aid, uid, hash, filename, filetype, filesize, revision, folder, flags, created, edited, allow_cid, allow_gid, deny_cid, deny_gid from attach where uid = %d and hash = '%s' $sql_extra limit 1",
+	$r = q("select id, aid, uid, hash, creator, filename, filetype, filesize, revision, folder, flags, created, edited, allow_cid, allow_gid, deny_cid, deny_gid from attach where uid = %d and hash = '%s' $sql_extra limit 1",
 		intval($r[0]['uid']),
 		dbesc($hash)
 	);
@ -358,11 +358,12 @@ function attach_store($channel,$observer_hash,$options = '',$arr = null) {
 		);
 	}
 	elseif($options === 'revise') {
-		$r = q("insert into attach ( aid, uid, hash, filename, filetype, filesize, revision, data, created, edited, allow_cid, allow_gid, deny_cid, deny_gid )
-			VALUES ( %d, %d, '%s', '%s', '%s', %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ",
+		$r = q("insert into attach ( aid, uid, hash, creator, filename, filetype, filesize, revision, data, created, edited, allow_cid, allow_gid, deny_cid, deny_gid )
+			VALUES ( %d, %d, '%s', '%s', '%s', '%s', %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ",
 			intval($x[0]['aid']),
 			intval($channel_id),
 			dbesc($x[0]['hash']),
+			dbesc(get_observer_hash()),
 			dbesc($filename),
 			dbesc($mimetype),
 			intval($filesize),
@ -393,11 +394,12 @@ function attach_store($channel,$observer_hash,$options = '',$arr = null) {
 	}		

 	else {
-		$r = q("INSERT INTO attach ( aid, uid, hash, filename, filetype, filesize, revision, data, created, edited, allow_cid, allow_gid,deny_cid, deny_gid )
-			VALUES ( %d, %d, '%s', '%s', '%s', %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ",
+		$r = q("INSERT INTO attach ( aid, uid, hash, creator, filename, filetype, filesize, revision, data, created, edited, allow_cid, allow_gid,deny_cid, deny_gid )
+			VALUES ( %d, %d, '%s', '%s', '%s', '%s', %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ",
 			intval($channel['channel_account_id']),
 			intval($channel_id),
 			dbesc($hash),
+			dbesc(get_observer_hash()),
 			dbesc($filename),
 			dbesc($mimetype),
 			intval($filesize),
@ -422,7 +424,7 @@ function attach_store($channel,$observer_hash,$options = '',$arr = null) {

 	// Caution: This re-uses $sql_options set further above

-	$r = q("select id, aid, uid, hash, filename, filetype, filesize, revision, folder, flags, created, edited, allow_cid, allow_gid, deny_cid, deny_gid from attach where uid = %d and hash = '%s' $sql_options limit 1",
+	$r = q("select id, aid, uid, hash, creator, filename, filetype, filesize, revision, folder, flags, created, edited, allow_cid, allow_gid, deny_cid, deny_gid from attach where uid = %d and hash = '%s' $sql_options limit 1",
 		intval($channel_id),
 		dbesc($hash)
 	);
@ -482,7 +484,7 @@ function z_readdir($channel_id,$observer_hash,$pathname, $parent_hash = '') {
 	else
 		$paths = array($pathname);
 	
-	$r = q("select id, aid, uid, hash, filename, filetype, filesize, revision, folder, flags, created, edited, allow_cid, allow_gid, deny_cid, deny_gid from attach where id = %d and folder = '%s' and filename = '%s' and (flags & %d ) " . permissions_sql($channel_id),
+	$r = q("select id, aid, uid, hash, creator, filename, filetype, filesize, revision, folder, flags, created, edited, allow_cid, allow_gid, deny_cid, deny_gid from attach where id = %d and folder = '%s' and filename = '%s' and (flags & %d ) " . permissions_sql($channel_id),
 		intval($channel_id),
 		dbesc($parent_hash),
 		dbesc($paths[0]),
@ -599,11 +601,12 @@ function attach_mkdir($channel,$observer_hash,$arr = null) {

 	$created = datetime_convert();		

-	$r = q("INSERT INTO attach ( aid, uid, hash, filename, filetype, filesize, revision, folder, flags, data, created, edited, allow_cid, allow_gid, deny_cid, deny_gid )
+	$r = q("INSERT INTO attach ( aid, uid, hash, creator, filename, filetype, filesize, revision, folder, flags, data, created, edited, allow_cid, allow_gid, deny_cid, deny_gid )
 		VALUES ( %d, %d, '%s', '%s', '%s', %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ",
 		intval($channel['channel_account_id']),
 		intval($channel_id),
 		dbesc($arr['hash']),
+		dbesc(get_observer_hash()),
 		dbesc($arr['filename']),
 		dbesc('multipart/mixed'),
 		intval(0),
@ -690,6 +693,7 @@ function attach_delete($channel_id,$resource) {
 		intval($channel_id)
 	);

+
 	if(! $r)
 		return;

--- a/include/reddav.php
+++ b/include/reddav.php
@ -115,11 +115,12 @@ class RedDirectory extends DAV\Node implements DAV\ICollection {
 		$filesize = 0;
 		$hash = random_string();

-        $r = q("INSERT INTO attach ( aid, uid, hash, filename, folder, flags, filetype, filesize, revision, data, created, edited, allow_cid, allow_gid, deny_cid, deny_gid )
-            VALUES ( %d, %d, '%s', '%s', '%s', '%s', '%s', %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ",
+        $r = q("INSERT INTO attach ( aid, uid, hash, creator, filename, folder, flags, filetype, filesize, revision, data, created, edited, allow_cid, allow_gid, deny_cid, deny_gid )
+            VALUES ( %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s' ) ",
            intval($c[0]['channel_account_id']),
            intval($c[0]['channel_id']),
            dbesc($hash),
+			dbesc($this->auth->observer),
            dbesc($name),
 			dbesc($this->folder_hash),
 			dbesc(ATTACH_FLAG_OS),
@ -415,6 +416,13 @@ class RedFile extends DAV\Node implements DAV\IFile {
 			return;
 		}

+		if($this->auth->owner_id !== $this->auth->channel_id) {
+			if(($this->auth->observer !== $this->data['creator']) || ($this->data['flags'] & ATTACH_FLAG_DIR)) {
+				throw new DAV\Exception\Forbidden('Permission denied.');
+				return;
+			}
+		}
+
 		attach_delete($this->auth->owner_id,$this->data['hash']);
 	}

--- a/install/database.sql
+++ b/install/database.sql
@ -87,6 +87,7 @@ CREATE TABLE IF NOT EXISTS `attach` (
  `aid` int(10) unsigned NOT NULL DEFAULT '0',
  `uid` int(10) unsigned NOT NULL DEFAULT '0',
  `hash` char(64) NOT NULL DEFAULT '',
+  `creator` char(128) NOT NULL DEFAULT '0',
  `filename` char(255) NOT NULL DEFAULT '',
  `filetype` char(64) NOT NULL DEFAULT '',
  `filesize` int(10) unsigned NOT NULL DEFAULT '0',
@ -104,6 +105,7 @@ CREATE TABLE IF NOT EXISTS `attach` (
  KEY `aid` (`aid`),
  KEY `uid` (`uid`),
  KEY `hash` (`hash`),
+  KEY `creator` (`creator`),
  KEY `filename` (`filename`),
  KEY `filetype` (`filetype`),
  KEY `filesize` (`filesize`),
--- a/install/update.php
+++ b/install/update.php
@ -1,6 +1,6 @@
 <?php

-define( 'UPDATE_VERSION' , 1089 );
+define( 'UPDATE_VERSION' , 1090 );

 /**
 *
@ -977,3 +977,12 @@ ADD `deny_gid` MEDIUMTEXT NOT NULL DEFAULT ''");
 	return UPDATE_FAILED;
 }

+function update_r1089() {
+	$r = q("ALTER TABLE `attach` ADD `creator` CHAR( 128 ) NOT NULL DEFAULT '' AFTER `hash` ,
+ADD INDEX ( `creator` ) ");
+	if($r)
+		return UPDATE_SUCCESS;
+	return UPDATE_FAILED;
+}
+
+