secure permission discovery
This commit is contained in:
friendica
parent
aca2e3b52a
commit
a47a1d5eb9
@ -80,7 +80,20 @@ function new_contact($uid,$url,$channel,$interactive = false) {
|
||||
|
||||
$global_perms = get_perms();
|
||||
|
||||
foreach($j->permissions as $k => $v) {
|
||||
if($j->permissions->data) {
|
||||
$permissions = aes_unencapsulate(array(
|
||||
'data' => $j->permissions->data,
|
||||
'key' => $j->permissions->key,
|
||||
'iv' => $j->permissions->iv),
|
||||
$channel['channel_prvkey']);
|
||||
if($permissions)
|
||||
$permissions = json_decode($permissions);
|
||||
logger('decrypted permissions: ' . print_r($permissions,true), LOGGER_DATA);
|
||||
}
|
||||
else
|
||||
$permissions = $j->permissions;
|
||||
|
||||
foreach($permissions as $k => $v) {
|
||||
if($v) {
|
||||
$their_perms = $their_perms | intval($global_perms[$k][1]);
|
||||
}
|
||||
|
||||
@ -78,10 +78,12 @@ function zfinger_init(&$a) {
|
||||
|
||||
// FIXME encrypt permissions when targeted so that only the target can view them, requires sending the pubkey and also checking that the target_sig is signed with that pubkey and isn't a forgery.
|
||||
|
||||
$ret['permissions'] = get_all_perms($e['channel_id'],(($ztarget && $zsig)
|
||||
|
||||
$permissions = get_all_perms($e['channel_id'],(($ztarget && $zsig)
|
||||
? base64url_encode(hash('whirlpool',$ztarget . $zsig,true))
|
||||
: '' ),false);
|
||||
|
||||
$ret['permissions'] = (($ztarget) ? aes_encapsulate(json_encode($permissions),$zkey) : $permissions);
|
||||
|
||||
|
||||
// $ret['profile'] = $profile;
|
||||
|
||||
Reference in New Issue
Block a user