Create virtual privacy groups for private profile member lists

Zotlabs/Module/Acl.php

@@ -104,6 +104,23 @@ class Acl extends \Zotlabs\Web\Controller {
 		
 		if($type == '' || $type == 'g') {
 
+			$r = q("select id, profile_guid, profile_name from profile where is_default = 0 and uid = %d",
+				intval(local_channel())
+			);	
+			if($r) {
+				foreach($r as $rv) {
+					$groups[] = array(
+						"type"  => "g",
+						"photo" => "images/twopeople.png",
+						"name"  => t('Profile','acl') . ' ' . $rv['profile_name'],
+						"id"	=> 'vp' . $rv['id'],
+						"xid"   => 'vp.' . $rv['profile_guid'],
+						"uids"  => group_get_profile_members_xchan(local_channel(), $rv['id']),
+						"link"  => ''
+					);
+				}
+			}
+
 			$r = q("SELECT groups.id, groups.hash, groups.gname
 					FROM groups, group_member 
 					WHERE groups.deleted = 0 AND groups.uid = %d 

Zotlabs/Module/Connedit.php

@@ -245,14 +245,6 @@ class Connedit extends \Zotlabs\Web\Controller {
 			intval(local_channel())
 		);
 	
-		if($orig_record[0]['abook_profile'] != $profile_id) {
-			//Update profile photo permissions
-	
-			logger('A new profile was assigned - updating profile photos');
-			profile_photo_set_profile_perms(local_channel(),$profile_id);
-	
-		}
-	
 		if($r)
 			info( t('Connection updated.') . EOL);
 		else

Zotlabs/Module/Profile_photo.php

@@ -180,6 +180,10 @@ class Profile_photo extends \Zotlabs\Web\Controller {
 						dbesc(datetime_convert()),
 						dbesc($channel['xchan_hash'])
 					);
+
+					photo_profile_setperms(local_channel(),$base_image['resource_id'],$_REQUEST['profile']);
+
+
 					// Similarly, tell the nav bar to bypass the cache and update the avater image.
 					$_SESSION['reload_avatar'] = true;
 	
@@ -188,9 +192,6 @@ class Profile_photo extends \Zotlabs\Web\Controller {
 					// Update directory in background
 					\Zotlabs\Daemon\Master::Summon(array('Directory',$channel['channel_id']));
 	
-					// Now copy profile-permissions to pictures, to prevent privacyleaks by automatically created folder 'Profile Pictures'
-	
-					profile_photo_set_profile_perms(local_channel(),$_REQUEST['profile']);	
 				}
 				else
 					notice( t('Unable to process image') . EOL);
@@ -338,7 +339,8 @@ class Profile_photo extends \Zotlabs\Web\Controller {
 					dbesc($channel['xchan_hash'])
 				);
 	
-				profile_photo_set_profile_perms(local_channel()); // Reset default photo permissions to public
+				photo_profile_setperms(local_channel(),$resource_id,$_REQUEST['profile']);
+
 				\Zotlabs\Daemon\Master::Summon(array('Directory',local_channel()));
 				goaway(z_root() . '/profiles');
 			}

Zotlabs/Module/Profperm.php

@@ -22,7 +22,7 @@ class Profperm extends \Zotlabs\Web\Controller {
 	}
 	
 	
-		function get() {
+	function get() {
 	
 		if(! local_channel()) {
 			notice( t('Permission denied') . EOL);
@@ -94,12 +94,8 @@ class Profperm extends \Zotlabs\Web\Controller {
 	
 				}
 	
-	
-				//Time to update the permissions on the profile-pictures as well
-
-				profile_photo_set_profile_perms(local_channel(),$profile['id']);
-	
-				$r = q("SELECT * FROM abook left join xchan on abook_xchan = xchan_hash WHERE abook_channel = %d AND abook_profile = '%s'",
+				$r = q("SELECT * FROM abook left join xchan on abook_xchan = xchan_hash 
+					WHERE abook_channel = %d AND abook_profile = '%s'",
 					intval(local_channel()),
 					dbesc($profile['profile_guid'])
 				);

include/attach.php

@@ -28,29 +28,31 @@ function z_mime_content_type($filename) {
 
 	$mime_types = array(
 
-	'txt' => 'text/plain',
-	'htm' => 'text/html',
+	'txt'  => 'text/plain',
+	'htm'  => 'text/html',
 	'html' => 'text/html',
-	'php' => 'text/html',
-	'css' => 'text/css',
-	'js' => 'application/javascript',
+	'php'  => 'text/html',
+	'css'  => 'text/css',
+	'md'   => 'text/markdown',
+	'bb'   => 'text/bbcode',
+	'js'   => 'application/javascript',
 	'json' => 'application/json',
-	'xml' => 'application/xml',
-	'swf' => 'application/x-shockwave-flash',
-	'flv' => 'video/x-flv',
+	'xml'  => 'application/xml',
+	'swf'  => 'application/x-shockwave-flash',
+	'flv'  => 'video/x-flv',
 	'epub' => 'application/epub+zip',
 
 	// images
-	'png' => 'image/png',
-	'jpe' => 'image/jpeg',
+	'png'  => 'image/png',
+	'jpe'  => 'image/jpeg',
 	'jpeg' => 'image/jpeg',
-	'jpg' => 'image/jpeg',
-	'gif' => 'image/gif',
-	'bmp' => 'image/bmp',
-	'ico' => 'image/vnd.microsoft.icon',
+	'jpg'  => 'image/jpeg',
+	'gif'  => 'image/gif',
+	'bmp'  => 'image/bmp',
+	'ico'  => 'image/vnd.microsoft.icon',
 	'tiff' => 'image/tiff',
-	'tif' => 'image/tiff',
-	'svg' => 'image/svg+xml',
+	'tif'  => 'image/tiff',
+	'svg'  => 'image/svg+xml',
 	'svgz' => 'image/svg+xml',
 
 	// archives
@@ -61,27 +63,27 @@ function z_mime_content_type($filename) {
 	'cab' => 'application/vnd.ms-cab-compressed',
 
 	// audio/video
-	'mp3' => 'audio/mpeg',
-	'wav' => 'audio/wav',
-	'qt' => 'video/quicktime',
-	'mov' => 'video/quicktime',
-	'ogg' => 'audio/ogg',
-	'ogv' => 'video/ogg',
-	'ogx' => 'application/ogg',
+	'mp3'  => 'audio/mpeg',
+	'wav'  => 'audio/wav',
+	'qt'   => 'video/quicktime',
+	'mov'  => 'video/quicktime',
+	'ogg'  => 'audio/ogg',
+	'ogv'  => 'video/ogg',
+	'ogx'  => 'application/ogg',
 	'flac' => 'audio/flac',
 	'opus' => 'audio/ogg',
 	'webm' => 'video/webm',
 //	'webm' => 'audio/webm',
-	'mp4' => 'video/mp4',
-//	'mp4' => 'audio/mp4',
-	'mkv' => 'video/x-matroska',
+	'mp4'  => 'video/mp4',
+//	'mp4'  => 'audio/mp4',
+	'mkv'  => 'video/x-matroska',
 
 	// adobe
 	'pdf' => 'application/pdf',
 	'psd' => 'image/vnd.adobe.photoshop',
-	'ai' => 'application/postscript',
+	'ai'  => 'application/postscript',
 	'eps' => 'application/postscript',
-	'ps' => 'application/postscript',
+	'ps'  => 'application/postscript',
 
 	// ms office
 	'doc' => 'application/msword',

include/group.php

@@ -227,6 +227,26 @@ function group_get_members_xchan($gid) {
 	return $ret;
 }
 
+function group_get_profile_members_xchan($uid,$gid) {
+	$ret = [];
+
+	if(intval($gid)) {
+		$r = q("SELECT abook_xchan as xchan from abook left join profile on abook_profile = profile_guid where profile.id = %d and profile.uid = %d",
+			intval($gid),
+			intval($uid)
+		);
+		if($r) {
+			foreach($r as $rr) {
+				$ret[] = $rr['xchan'];
+			}
+		}
+	}
+	return $ret;
+}
+
+
+
+
 function mini_group_select($uid,$group = '') {
 	
 	$grps = array();
@@ -320,20 +340,46 @@ function group_side($every="connections",$each="group",$edit = false, $group_id
 	return $o;
 }
 
-function expand_groups($a) {
-	if(! (is_array($a) && count($a)))
+function expand_groups($g) {
+	if(! (is_array($g) && count($g)))
 		return array();
-	$x = $a;
-	stringify_array_elms($x,true);
-	$groups = implode(',', $x);
 
-	if($groups)
-		$r = q("SELECT xchan FROM group_member WHERE gid IN ( select id from groups where hash in ( $groups ))");
-	$ret = array();
+	$ret = [];
+	$x   = [];
 
-	if($r)
-		foreach($r as $rr)
-			$ret[] = $rr['xchan'];
+	// private profile linked virtual groups
+
+	foreach($g as $gv) {
+		if(substr($gv,0,3) === 'vp.') {
+			$profile_hash = substr($gv,3);
+			if($profile_hash) {
+				$r = q("select abook_xchan from abook where abook_profile = '%s'",
+					dbesc($profile_hash)
+				);
+				if($r) {
+					foreach($r as $rv) {
+						$ret[] = $rv['abook_xchan'];
+					}
+				}
+			}
+		}
+		else {
+			$x[] = $gv;
+		}
+	}								 
+
+	if($x) {
+		stringify_array_elms($x,true);
+		$groups = implode(',', $x);
+		if($groups) {
+			$r = q("SELECT xchan FROM group_member WHERE gid IN ( select id from groups where hash in ( $groups ))");
+			if($r) {
+				foreach($r as $rr) {
+					$ret[] = $rr['xchan'];
+				}
+			}
+		}
+	}
 	return $ret;
 }
 

include/photos.php

@@ -718,10 +718,59 @@ function gps2Num($coordPart) {
     return floatval($parts[0]) / floatval($parts[1]);
 }
 
+
+function photo_profile_setperms($channel_id,$resource_id,$profile_id) {
+
+	if(! $profile_id)
+		return;
+
+	$r = q("select profile_guid, is_default from profile where id = %d and uid = %d limit 1",
+		dbesc($profile_id),
+		intval($channel_id)
+	); 
+
+	if(! $r)
+		return;
+
+	$is_default   = $r[0]['is_default'];
+	$profile_guid = $r[0]['profile_guid'];
+
+	if($is_default) {
+		$r = q("update photo set allow_cid = '', allow_gid = '', deny_cid = '', deny_gid = '' 
+			where resource_id = '%s' and uid = %d",
+			dbesc($resource_id),
+			intval($channel_id)
+		);
+		$r = q("update attach set allow_cid = '', allow_gid = '', deny_cid = '', deny_gid = '' 
+			where hash = '%s' and uid = %d",
+			dbesc($resource_id),
+			intval($channel_id)
+		);
+	}
+	else {
+		$r = q("update photo set allow_cid = '', allow_gid = '%s', deny_cid = '', deny_gid = '' 
+			where resource_id = '%s' and uid = %d",
+			dbesc('vp.' . $profile_guid),
+			dbesc($resource_id),
+			intval($channel_id)
+		);
+
+		$r = q("update attach set allow_cid = '', allow_gid = '%s', deny_cid = '', deny_gid = '' 
+			where hash = '%s' and uid = %d",
+			dbesc('vp.' . $profile_guid),
+			dbesc($resource_id),
+			intval($channel_id)
+		);
+	}
+}
+
 function profile_photo_set_profile_perms($uid, $profileid = 0) {
 
-		$allowcid = '';
-		if($profileid) {
+	$allowcid = '';
+
+
+	if($profileid) {
+
 			$r = q("SELECT photo, profile_guid, id, is_default, uid
 				FROM profile WHERE uid = %d and ( profile.id = %d OR profile.profile_guid = '%s') LIMIT 1",
 				intval($uid),

include/security.php

@@ -553,7 +553,21 @@ function check_form_security_token_ForbiddenOnErr($typename = '', $formname = 'f
 // var $contact_id = xchan_hash of connection
 
 function init_groups_visitor($contact_id) {
-	$groups = array();
+	$groups = [];
+
+	// private profiles are treated as a virtual group
+
+	$r = q("SELECT abook_profile from abook where abook_xchan = '%s' and abook_profile != '' ",
+		dbesc($contact_id)
+	);
+	if($r) {
+		foreach($r as $rv) {
+			$groups[] = 'vp.' . $rv['abook_profile'];
+		}
+	}
+
+	// physical groups this channel is a member of
+
 	$r = q("SELECT hash FROM groups left join group_member on groups.id = group_member.gid WHERE xchan = '%s' ",
 		dbesc($contact_id)
 	);