harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: perms_pending not evaluated correctly

Browse Source 
(cherry picked from commit 5a46f1229d)
This commit is contained in:
zotlabs 2019-04-05 23:46:52 +00:00 committed by Mario
parent 33ac85f637
commit a93bd8d944
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
include/permissions.php
View File

@ -192,7 +192,7 @@ function get_all_perms($uid, $observer_xchan, $check_siteblock = true, $default_
// They are in your address book, but haven't been approved // They are in your address book, but haven't been approved
if($channel_perm & PERMS_PENDING) { if($channel_perm & PERMS_PENDING && (! intval($x[0]['abook_pseudo']))) {
$ret[$perm_name] = true; $ret[$perm_name] = true;
continue; continue;
} }
@ -316,6 +316,7 @@ function perm_is_allowed($uid, $observer_xchan, $permission, $check_siteblock =
if(! $x) { if(! $x) {
// not in address book and no guest token, see if they've got an xchan // not in address book and no guest token, see if they've got an xchan
$y = q("select xchan_network from xchan where xchan_hash = '%s' limit 1", $y = q("select xchan_network from xchan where xchan_hash = '%s' limit 1",
dbesc($observer_xchan) dbesc($observer_xchan)
); );
@ -327,7 +328,6 @@ function perm_is_allowed($uid, $observer_xchan, $permission, $check_siteblock =
} }
$abperms = load_abconfig($uid,$observer_xchan,'my_perms'); $abperms = load_abconfig($uid,$observer_xchan,'my_perms');
} }
// system is blocked to anybody who is not authenticated // system is blocked to anybody who is not authenticated
@ -382,7 +382,7 @@ function perm_is_allowed($uid, $observer_xchan, $permission, $check_siteblock =
// They are in your address book, but haven't been approved // They are in your address book, but haven't been approved
if($channel_perm & PERMS_PENDING) { if($channel_perm & PERMS_PENDING && (! intval($x[0]['abook_pseudo']))) {
return true; return true;
} }