]> git.mxchange.org Git - friendica.git/blob - mod/item.php
cache result of (expensive) security check for visitor rights
[friendica.git] / mod / item.php
1 <?php
2
3 // This is the POST destination for most all locally posted
4 // text stuff. This function handles status, wall-to-wall status, 
5 // local comments, and remote coments - that are posted on this site 
6 // (as opposed to being delivered in a feed).
7 // All of these become an "item" which is our basic unit of 
8 // information. 
9
10 function item_post(&$a) {
11
12         if((! local_user()) && (! remote_user()))
13                 return;
14
15         require_once('include/security.php');
16
17         $uid = local_user();
18
19         $parent = ((x($_POST,'parent')) ? intval($_POST['parent']) : 0);
20
21         $parent_item = null;
22
23         if($parent) {
24                 $r = q("SELECT * FROM `item` WHERE `id` = %d LIMIT 1",
25                         intval($parent)
26                 );
27                 if(! count($r)) {
28                         notice( t('Unable to locate original post.') . EOL);
29                         goaway($a->get_baseurl() . "/" . $_POST['return'] );
30                 }
31                 $parent_item = $r[0];
32         }
33
34         $profile_uid = ((x($_POST,'profile_uid')) ? intval($_POST['profile_uid']) : 0);
35
36
37         if(! can_write_wall($a,$profile_uid)) {
38                 notice( t('Permission denied.') . EOL) ;
39                 return;
40         }
41
42         $user = null;
43
44         $r = q("SELECT * FROM `user` WHERE `uid` = %d LIMIT 1",
45                 intval($profile_uid)
46         );
47         if(count($r))
48                 $user = $r[0];
49         
50
51         $str_group_allow   = perms2str($_POST['group_allow']);
52         $str_contact_allow = perms2str($_POST['contact_allow']);
53         $str_group_deny    = perms2str($_POST['group_deny']);
54         $str_contact_deny  = perms2str($_POST['contact_deny']);
55
56         $title             = notags(trim($_POST['title']));
57         $body              = escape_tags(trim($_POST['body']));
58         $location          = notags(trim($_POST['location']));
59         $coord             = notags(trim($_POST['coord']));
60         $verb              = notags(trim($_POST['verb']));
61
62         if(! strlen($body)) {
63                 notice( t('Empty post discarded.') . EOL );
64                 goaway($a->get_baseurl() . "/" . $_POST['return'] );
65
66         }
67
68         // get contact info for poster
69
70         $author = null;
71
72         if(($_SESSION['uid']) && ($_SESSION['uid'] == $profile_uid)) {
73                 $r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `self` = 1 LIMIT 1",
74                         intval($_SESSION['uid'])
75                 );
76         }
77         else {
78                 if((x($_SESSION,'visitor_id')) && (intval($_SESSION['visitor_id']))) {
79                         $r = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1",
80                                 intval($_SESSION['visitor_id'])
81                         );
82                 }
83         }
84
85         if(count($r)) {
86                 $author = $r[0];
87                 $contact_id = $author['id'];
88         }
89
90         // get contact info for owner
91         
92         if($profile_uid == $_SESSION['uid']) {
93                 $contact_record = $author;
94         }
95         else {
96                 $r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `self` = 1 LIMIT 1",
97                         intval($profile_uid)
98                 );
99                 if(count($r))
100                         $contact_record = $r[0];
101         }
102
103         $post_type = notags(trim($_POST['type']));
104
105         if($post_type === 'net-comment') {
106                 if($parent_item !== null) {
107                         if($parent_item['type'] === 'remote') {
108                                 $post_type = 'remote-comment';
109                         } 
110                         else {          
111                                 $post_type = 'wall-comment';
112                         }
113                 }
114         }
115
116         $str_tags = '';
117         $inform   = '';
118
119         $tags = get_tags($body);
120
121
122         if(count($tags)) {
123                 foreach($tags as $tag) {
124                         if(strpos($tag,'#') === 0) {
125                                 $basetag = str_replace('_',' ',substr($tag,1));
126                                 $body = str_replace($tag,'#[url=' . $a->get_baseurl() . '/search?search=' . rawurlencode($basetag) . ']' . $basetag . '[/url]',$body);
127                                 if(strlen($str_tags))
128                                         $str_tags .= ',';
129                                 $str_tags .= '#[url=' . $a->get_baseurl() . '/search?search=' . rawurlencode($basetag) . ']' . $basetag . '[/url]';
130                                 continue;
131                         }
132                         if(strpos($tag,'@') === 0) {
133                                 $name = substr($tag,1);
134                                 if((strpos($name,'@')) || (strpos($name,'http://'))) {
135                                         $newname = $name;
136                                         $links = @lrdd($name);
137                                         if(count($links)) {
138                                                 foreach($links as $link) {
139                                                         if($link['@attributes']['rel'] === 'http://webfinger.net/rel/profile-page')
140                                         $profile = $link['@attributes']['href'];
141                                                         if($link['@attributes']['rel'] === 'salmon') {
142                                                                 if(strlen($inform))
143                                                                         $inform .= ',';
144                                         $inform .= 'url:' . str_replace(',','%2c',$link['@attributes']['href']);
145                                                         }
146                                                 }
147                                         }
148                                 }
149                                 else {
150                                         $newname = $name;
151                                         if(strstr($name,'_')) {
152                                                 $newname = str_replace('_',' ',$name);
153                                                 $r = q("SELECT * FROM `contact` WHERE `name` = '%s' AND `uid` = %d LIMIT 1",
154                                                         dbesc($newname),
155                                                         intval($profile_uid)
156                                                 );
157                                         }
158                                         else {
159                                                 $r = q("SELECT * FROM `contact` WHERE `nick` = '%s' AND `uid` = %d LIMIT 1",
160                                                         dbesc($name),
161                                                         intval($profile_uid)
162                                                 );
163                                         }
164                                         if(count($r)) {
165                                                 $profile = $r[0]['url'];
166                                                 $newname = $r[0]['name'];
167                                                 if(strlen($inform))
168                                                         $inform .= ',';
169                                                 $inform .= 'cid:' . $r[0]['id'];
170                                         }
171                                 }
172                                 if($profile) {
173                                         $body = str_replace($name,'[url=' . $profile . ']' . $newname   . '[/url]', $body);
174                                         $profile = str_replace(',','%2c',$profile);
175                                         if(strlen($str_tags))
176                                                 $str_tags .= ',';
177                                         $str_tags .= '@[url=' . $profile . ']' . $newname       . '[/url]';
178                                 }
179                         }
180                 }
181         }
182
183         $wall = 0;
184         if($post_type === 'wall' || $post_type === 'wall-comment')
185                 $wall = 1;
186
187         if(! strlen($verb))
188                 $verb = ACTIVITY_POST ;
189
190         $gravity = (($parent) ? 6 : 0 );
191  
192         $notify_type = (($parent) ? 'comment-new' : 'wall-new' );
193
194         $uri = item_new_uri($a->get_hostname(),$profile_uid);
195
196         $r = q("INSERT INTO `item` (`uid`,`type`,`wall`,`gravity`,`contact-id`,`owner-name`,`owner-link`,`owner-avatar`, 
197                 `author-name`, `author-link`, `author-avatar`, `created`, `edited`, `changed`, `uri`, `title`, `body`, `location`, `coord`, 
198                 `tag`, `inform`, `verb`, `allow_cid`, `allow_gid`, `deny_cid`, `deny_gid`)
199                 VALUES( %d, '%s', %d, %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s' )",
200                 intval($profile_uid),
201                 dbesc($post_type),
202                 intval($wall),
203                 intval($gravity),
204                 intval($contact_id),
205                 dbesc($contact_record['name']),
206                 dbesc($contact_record['url']),
207                 dbesc($contact_record['thumb']),
208                 dbesc($author['name']),
209                 dbesc($author['url']),
210                 dbesc($author['thumb']),
211                 dbesc(datetime_convert()),
212                 dbesc(datetime_convert()),
213                 dbesc(datetime_convert()),
214                 dbesc($uri),
215                 dbesc($title),
216                 dbesc($body),
217                 dbesc($location),
218                 dbesc($coord),
219                 dbesc($str_tags),
220                 dbesc($inform),
221                 dbesc($verb),
222                 dbesc($str_contact_allow),
223                 dbesc($str_group_allow),
224                 dbesc($str_contact_deny),
225                 dbesc($str_group_deny)
226         );
227         $r = q("SELECT `id` FROM `item` WHERE `uri` = '%s' LIMIT 1",
228                 dbesc($uri));
229         if(count($r)) {
230                 $post_id = $r[0]['id'];
231                 logger('mod_item: saved item ' . $post_id);
232
233                 if($parent) {
234
235                         // This item is the last leaf and gets the comment box, clear any ancestors
236                         $r = q("UPDATE `item` SET `last-child` = 0, `changed` = '%s' WHERE `parent` = %d ",
237                                 dbesc(datetime_convert()),
238                                 intval($parent)
239                         );
240
241                         // Inherit ACL's from the parent item.
242                         // TODO merge with subsequent UPDATE operation and save a db write 
243
244                         $r = q("UPDATE `item` SET `allow_cid` = '%s', `allow_gid` = '%s', `deny_cid` = '%s', `deny_gid` = '%s'
245                                 WHERE `id` = %d LIMIT 1",
246                                 dbesc($parent_item['allow_cid']),
247                                 dbesc($parent_item['allow_gid']),
248                                 dbesc($parent_item['deny_cid']),
249                                 dbesc($parent_item['deny_gid']),
250                                 intval($post_id)
251                         );
252
253                         // Send a notification email to the conversation owner, unless the owner is me and I wrote this item
254                         if(($user['notify-flags'] & NOTIFY_COMMENT) && ($contact_record != $author)) {
255                                 require_once('bbcode.php');
256                                 $from = $author['name'];
257                                 $tpl = load_view_file('view/cmnt_received_eml.tpl');                    
258                                 $email_tpl = replace_macros($tpl, array(
259                                         '$sitename' => $a->config['sitename'],
260                                         '$siteurl' =>  $a->get_baseurl(),
261                                         '$username' => $user['username'],
262                                         '$email' => $user['email'],
263                                         '$from' => $from,
264                                         '$display' => $a->get_baseurl() . '/display/' . $user['nickname'] . '/' . $post_id,
265                                         '$body' => strip_tags(bbcode($body))
266                                 ));
267
268                                 $res = mail($user['email'], $from . t(" commented on your item at ") . $a->config['sitename'],
269                                         $email_tpl,t("From: Administrator@") . $a->get_hostname() );
270                         }
271                 }
272                 else {
273                         $parent = $post_id;
274
275                         // let me know if somebody did a wall-to-wall post on my profile
276
277                         if(($user['notify-flags'] & NOTIFY_WALL) && ($contact_record != $author)) {
278                                 require_once('bbcode.php');
279                                 $from = $author['name'];
280                                 $tpl = load_view_file('view/wall_received_eml.tpl');                    
281                                 $email_tpl = replace_macros($tpl, array(
282                                         '$sitename' => $a->config['sitename'],
283                                         '$siteurl' =>  $a->get_baseurl(),
284                                         '$username' => $user['username'],
285                                         '$email' => $user['email'],
286                                         '$from' => $from,
287                                         '$display' => $a->get_baseurl() . '/display/' . $user['nickname'] . '/' . $post_id,
288                                         '$body' => strip_tags(bbcode($body))
289                                 ));
290
291                                 $res = mail($user['email'], $from . t(" posted on your profile wall at ") . $a->config['sitename'],
292                                         $email_tpl,t("From: Administrator@") . $a->get_hostname() );
293                         }
294                 }
295
296                 $r = q("UPDATE `item` SET `parent` = %d, `parent-uri` = '%s', `changed` = '%s', `last-child` = 1, `visible` = 1
297                         WHERE `id` = %d LIMIT 1",
298                         intval($parent),
299                         dbesc(($parent == $post_id) ? $uri : $parent_item['uri']),
300                         dbesc(datetime_convert()),
301                         intval($post_id)
302                 );
303
304                 // photo comments turn the corresponding item visible to the profile wall
305                 // This way we don't see every picture in your new photo album posted to your wall at once.
306                 // They will show up as people comment on them.
307
308                 if(! $parent_item['visible']) {
309                         $r = q("UPDATE `item` SET `visible` = 1 WHERE `id` = %d LIMIT 1",
310                                 intval($parent_item['id'])
311                         );
312                 }
313         }
314
315         $php_path = ((strlen($a->config['php_path'])) ? $a->config['php_path'] : 'php');
316
317         logger('mod_item: notifier invoked: ' . "\"$php_path\" \"include/notifier.php\" \"$notify_type\" \"$post_id\" &");
318
319         proc_close(proc_open("\"$php_path\" \"include/notifier.php\" \"$notify_type\" \"$post_id\" &",
320                 array(),$foo));
321
322         goaway($a->get_baseurl() . "/" . $_POST['return'] );
323         return; // NOTREACHED
324 }
325
326 function item_content(&$a) {
327
328         if((! local_user()) && (! remote_user()))
329                 return;
330
331         require_once('include/security.php');
332
333         $uid = $_SESSION['uid'];
334
335         if(($a->argc == 3) && ($a->argv[1] === 'drop') && intval($a->argv[2])) {
336
337                 // locate item to be deleted
338
339                 $r = q("SELECT * FROM `item` WHERE `id` = %d LIMIT 1",
340                         intval($a->argv[2])
341                 );
342
343                 if(! count($r)) {
344                         notice( t('Item not found.') . EOL);
345                         goaway($a->get_baseurl() . '/' . $_SESSION['return_url']);
346                 }
347                 $item = $r[0];
348
349                 // check if logged in user is either the author or owner of this item
350
351                 if(($_SESSION['visitor_id'] == $item['contact-id']) || ($_SESSION['uid'] == $item['uid'])) {
352
353                         // delete the item
354
355                         $r = q("UPDATE `item` SET `deleted` = 1, `body` = '', `edited` = '%s', `changed` = '%s' WHERE `id` = %d LIMIT 1",
356                                 dbesc(datetime_convert()),
357                                 dbesc(datetime_convert()),
358                                 intval($item['id'])
359                         );
360
361                         // If item is a link to a photo resource, nuke all the associated photos 
362                         // (visitors will not have photo resources)
363                         // This only applies to photos uploaded from the photos page. Photos inserted into a post do not
364                         // generate a resource-id and therefore aren't intimately linked to the item. 
365
366                         if(strlen($item['resource-id'])) {
367                                 $q("DELETE FROM `photo` WHERE `resource-id` = '%s' AND `uid` = %d ",
368                                         dbesc($item['resource-id']),
369                                         intval($item['uid'])
370                                 );
371                                 // ignore the result
372                         }
373
374                         // If it's the parent of a comment thread, kill all the kids
375
376                         if($item['uri'] == $item['parent-uri']) {
377                                 $r = q("UPDATE `item` SET `deleted` = 1, `edited` = '%s', `changed` = '%s', `body` = '' 
378                                         WHERE `parent-uri` = '%s' AND `uid` = %d ",
379                                         dbesc(datetime_convert()),
380                                         dbesc(datetime_convert()),
381                                         dbesc($item['parent-uri']),
382                                         intval($item['uid'])
383                                 );
384                                 // ignore the result
385                         }
386                         else {
387                                 // ensure that last-child is set in case the comment that had it just got wiped.
388                                 q("UPDATE `item` SET `last-child` = 0, `changed` = '%s' WHERE `parent-uri` = '%s' AND `uid` = %d ",
389                                         dbesc(datetime_convert()),
390                                         dbesc($item['parent-uri']),
391                                         intval($item['uid'])
392                                 );
393                                 // who is the last child now? 
394                                 $r = q("SELECT `id` FROM `item` WHERE `parent-uri` = '%s' AND `type` != 'activity' AND `deleted` = 0 AND `uid` = %d ORDER BY `edited` DESC LIMIT 1",
395                                         dbesc($item['parent-uri']),
396                                         intval($item['uid'])
397                                 );
398                                 if(count($r)) {
399                                         q("UPDATE `item` SET `last-child` = 1 WHERE `id` = %d LIMIT 1",
400                                                 intval($r[0]['id'])
401                                         );
402                                 }       
403                         }
404                         $drop_id = intval($item['id']);
405                         $php_path = ((strlen($a->config['php_path'])) ? $a->config['php_path'] : 'php');
406                         
407                         // send the notification upstream/downstream as the case may be
408
409                         proc_close(proc_open("\"$php_path\" \"include/notifier.php\" \"drop\" \"$drop_id\" &",
410                                 array(), $foo));
411
412                         goaway($a->get_baseurl() . '/' . $_SESSION['return_url']);
413                         return; //NOTREACHED
414                 }
415                 else {
416                         notice( t('Permission denied.') . EOL);
417                         goaway($a->get_baseurl() . '/' . $_SESSION['return_url']);
418                         //NOTREACHED
419                 }
420         }
421 }