harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'mike/master' into dev

Browse Source
This commit is contained in:
Mario Vavti 2018-05-01 10:19:03 +02:00
commit eb2d6fca3a
2 changed files with 48 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
Zotlabs/Module/Photo.php
View File

@ -127,69 +127,45 @@ class Photo extends \Zotlabs\Web\Controller {
} }
} }
$r = q("SELECT uid FROM photo WHERE resource_id = '%s' AND imgscale = %d LIMIT 1", $r = q("SELECT uid, photo_usage FROM photo WHERE resource_id = '%s' AND imgscale = %d LIMIT 1",
dbesc($photo), dbesc($photo),
intval($resolution) intval($resolution)
); );
if($r) { if($r) {
$allowed = (($r[0]['uid']) ? perm_is_allowed($r[0]['uid'],$observer_xchan,'view_storage') : true); $allowed = (-1);
$sql_extra = permissions_sql($r[0]['uid']); if(intval($r[0]['photo_usage'])) {
$allowed = 1;
if(! $sql_extra) if(intval($r[0]['photo_usage']) === PHOTO_COVER)
$sql_extra = ' and true '; if($resolution < PHOTO_RES_COVER_1200)
$allowed = (-1);
// Only check permissions on normal photos. Those photos we don't check includes if(intval($r[0]['photo_usage']) === PHOTO_PROFILE)
// profile photos, xchan photos (which are also profile photos), 'thing' photos, if(! in_array($resolution,[4,5,6]))
// and cover photos $allowed = (-1);
}
$sql_extra = " and (( photo_usage = 0 $sql_extra ) or photo_usage != 0 )"; if($allowed === (-1))
$allowed = attach_can_view($r[0]['uid'],$observer_xchan,$photo);
$channel = channelx_by_n($r[0]['uid']); $channel = channelx_by_n($r[0]['uid']);
// Now we'll see if we can access the photo // Now we'll see if we can access the photo
$r = q("SELECT * FROM photo WHERE resource_id = '%s' AND imgscale = %d $sql_extra LIMIT 1", $e = q("SELECT * FROM photo WHERE resource_id = '%s' AND imgscale = %d $sql_extra LIMIT 1",
dbesc($photo), dbesc($photo),
intval($resolution) intval($resolution)
); );
// viewing cover photos is allowed unless a plugin chooses to block it. $exists = (($e) ? true : false);
if($r && intval($r[0]['photo_usage']) === PHOTO_COVER && $resolution >= PHOTO_RES_COVER_1200) if($exists && $allowed) {
$allowed = 1; $data = dbunescbin($e[0]['content']);
$mimetype = $e[0]['mimetype'];
$d = [ 'imgscale' => $resolution, 'resource_id' => $photo, 'photo' => $r, 'allowed' => $allowed ]; if(intval($e[0]['os_storage'])) {
call_hooks('get_photo',$d);
$resolution = $d['imgscale'];
$photo = $d['resource_id'];
$r = $d['photo'];
$allowed = $d['allowed'];
if($r && $allowed) {
$data = dbunescbin($r[0]['content']);
$mimetype = $r[0]['mimetype'];
if(intval($r[0]['os_storage'])) {
$streaming = $data; $streaming = $data;
} }
} }
else { else {
if(! $allowed) {
// Does the picture exist? It may be a remote person with no credentials,
// but who should otherwise be able to view it. Show a default image to let
// them know permissions was denied. It may be possible to view the image
// through an authenticated profile visit.
// There won't be many completely unauthorised people seeing this because
// they won't have the photo link, so there's a reasonable chance that the person
// might be able to obtain permission to view it.
$r = q("SELECT * FROM photo WHERE resource_id = '%s' AND imgscale = %d LIMIT 1",
dbesc($photo),
intval($resolution)
);
if($r) {
logger('mod_photo: forbidden. ' . \App::$query_string); logger('mod_photo: forbidden. ' . \App::$query_string);
$observer = \App::get_observer(); $observer = \App::get_observer();
logger('mod_photo: observer = ' . (($observer) ? $observer['xchan_addr'] : '(not authenticated)')); logger('mod_photo: observer = ' . (($observer) ? $observer['xchan_addr'] : '(not authenticated)'));
@ -201,9 +177,6 @@ class Photo extends \Zotlabs\Web\Controller {
} }
} }
if(! isset($data)) { if(! isset($data)) {
if(isset($resolution)) { if(isset($resolution)) {
switch($resolution) { switch($resolution) {
@ -295,7 +268,6 @@ class Photo extends \Zotlabs\Web\Controller {
} }
killme(); killme();
// NOTREACHED
} }
} }

39
include/attach.php
View File

@ -266,14 +266,12 @@ function attach_by_hash($hash, $observer_hash, $rev = 0) {
return $ret; return $ret;
} }
if(! perm_is_allowed($r[0]['uid'], $observer_hash, 'view_storage')) { if(! attach_can_view($r[0]['uid'], $observer_hash, $hash)) {
$ret['message'] = t('Permission denied.'); $ret['message'] = t('Permission denied.');
return $ret; return $ret;
} }
$sql_extra = permissions_sql($r[0]['uid'],$observer_hash); // We've already checked for existence and permissions
// Now we'll see if we can access the attachment
$r = q("SELECT * FROM attach WHERE hash = '%s' and uid = %d $sql_extra LIMIT 1", $r = q("SELECT * FROM attach WHERE hash = '%s' and uid = %d $sql_extra LIMIT 1",
dbesc($hash), dbesc($hash),
@ -281,20 +279,12 @@ function attach_by_hash($hash, $observer_hash, $rev = 0) {
); );
if(! $r) { if(! $r) {
$ret['message'] = t('Permission denied.'); $ret['message'] = t('Unknown error.');
return $ret; return $ret;
} }
$r[0]['content'] = dbunescbin($r[0]['content']); $r[0]['content'] = dbunescbin($r[0]['content']);
if($r[0]['folder']) {
$x = attach_can_view_folder($r[0]['uid'],$observer_hash,$r[0]['folder']);
if(! $x) {
$ret['message'] = t('Permission denied.');
return $ret;
}
}
$ret['success'] = true; $ret['success'] = true;
$ret['data'] = $r[0]; $ret['data'] = $r[0];
@ -302,6 +292,29 @@ function attach_by_hash($hash, $observer_hash, $rev = 0) {
} }
function attach_can_view($uid,$ob_hash,$resource) {
$sql_extra = permissions_sql($uid,$ob_hash);
$hash = $resource;
if(! perm_is_allowed($uid,$ob_hash,'view_storage')) {
return false;
}
$r = q("select folder from attach where hash = '%s' and uid = %d $sql_extra",
dbesc($hash),
intval($uid)
);
if(! $r) {
return false;
}
return attach_can_view_folder($uid,$ob_hash,$r[0]['folder']);
}
function attach_can_view_folder($uid,$ob_hash,$folder_hash) { function attach_can_view_folder($uid,$ob_hash,$folder_hash) {
$sql_extra = permissions_sql($uid,$ob_hash); $sql_extra = permissions_sql($uid,$ob_hash);