harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

check public scopes against visitor in item_permissions_sql()

Browse Source
This commit is contained in:
redmatrix 2015-09-28 19:45:57 -07:00
parent 5c526995d8
commit f965209eee
2 changed files with 38 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
include/security.php
View File

@ -245,6 +245,9 @@ function item_permissions_sql($owner_id, $remote_observer = null) {
$observer = (($remote_observer) ? $remote_observer : get_observer_hash()); $observer = (($remote_observer) ? $remote_observer : get_observer_hash());
if($observer) { if($observer) {
$s = scopes_sql($owner_id,$observer);
$groups = init_groups_visitor($observer); $groups = init_groups_visitor($observer);
$gs = '<<>>'; // should be impossible to match $gs = '<<>>'; // should be impossible to match
@ -256,8 +259,8 @@ function item_permissions_sql($owner_id, $remote_observer = null) {
$regexop = db_getfunc('REGEXP'); $regexop = db_getfunc('REGEXP');
$sql = sprintf( $sql = sprintf(
" AND ( NOT (deny_cid like '%s' OR deny_gid $regexop '%s') " AND ( NOT (deny_cid like '%s' OR deny_gid $regexop '%s')
AND ( allow_cid like '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '' AND item_private = 0 ) ) AND ( allow_cid like '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '' AND item_private = 0 ))
) ) OR ( item_private = 1 $s )
", ",
dbesc(protect_sprintf( '%<' . $observer . '>%')), dbesc(protect_sprintf( '%<' . $observer . '>%')),
dbesc($gs), dbesc($gs),
@ -270,6 +273,39 @@ function item_permissions_sql($owner_id, $remote_observer = null) {
return $sql; return $sql;
} }
/**
* Remote visitors also need to be checked against the public_scope parameter if item_private is set.
* This function checks the various permutations of that field for any which apply to this observer.
*
*/
function scopes_sql($uid,$observer) {
$str = " and ( public_policy = 'authenticated' ";
if(! is_foreigner($observer))
$str .= " or public_policy = 'network: red' ";
if(local_channel())
$str .= " or public_policy = 'site: " . get_app()->get_hostname() . "' ";
$ab = q("select * from abook where abook_xchan = '%s' and abook_channel = %d limit 1",
dbesc($observer),
intval($uid)
);
if(! $ab)
return $str . " ) ";
if($ab[0]['abook_pending'])
$str .= " or public_policy = 'any connections' ";
$str .= " or public_policy = 'contacts' ) ";
return $str;
}
/** /**
* @param string $observer_hash * @param string $observer_hash
* *

1
mod/channel.php
View File

@ -153,7 +153,6 @@ function channel_content(&$a, $update = 0, $load = false) {
else else
$page_mode = 'client'; $page_mode = 'client';
$abook_uids = " and abook.abook_channel = " . intval($a->profile['profile_uid']) . " "; $abook_uids = " and abook.abook_channel = " . intval($a->profile['profile_uid']) . " ";
$simple_update = (($update) ? " AND item_unseen = 1 " : ''); $simple_update = (($update) ? " AND item_unseen = 1 " : '');