3 * @copyright Copyright (C) 2010-2022, the Friendica project
5 * @license GNU AGPL version 3 or any later version
7 * This program is free software: you can redistribute it and/or modify
8 * it under the terms of the GNU Affero General Public License as
9 * published by the Free Software Foundation, either version 3 of the
10 * License, or (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU Affero General Public License for more details.
17 * You should have received a copy of the GNU Affero General Public License
18 * along with this program. If not, see <https://www.gnu.org/licenses/>.
22 namespace Friendica\Security;
24 use Friendica\Database\DBA;
26 use Friendica\Model\Contact;
27 use Friendica\Model\Group;
28 use Friendica\Model\User;
31 * Secures that User is allow to do requests
35 public static function canWriteToUserWall($owner)
39 if (!DI::userSession()->isAuthenticated()) {
43 $uid = DI::userSession()->getLocalUserId();
48 if (DI::userSession()->getLocalUserId() && ($owner == 0)) {
52 if (!empty($cid = DI::userSession()->getRemoteContactID($owner))) {
53 // use remembered decision and avoid a DB lookup for each and every display item
54 // DO NOT use this function if there are going to be multiple owners
55 // We have a contact-id for an authenticated remote user, this block determines if the contact
56 // belongs to this page owner, and has the necessary permissions to post content
58 if ($verified === 2) {
60 } elseif ($verified === 1) {
63 $user = User::getById($owner);
64 if (!$user || $user['blockwall']) {
69 $contact = Contact::getById($cid);
70 if ($contact || $contact['blocked'] || $contact['readonly'] || $contact['pending']) {
75 if (in_array($contact['rel'], [Contact::SHARING, Contact::FRIEND]) || ($user['page-flags'] == User::PAGE_FLAGS_COMMUNITY)) {
88 * Create a permission string for an element based on the visitor
90 * @param integer $owner_id User ID of the owner of the element
91 * @param boolean $accessible Should the element be accessible anyway?
92 * @return string SQL permissions
94 public static function getPermissionsSQLByUserId(int $owner_id, bool $accessible = false)
96 $local_user = DI::userSession()->getLocalUserId();
97 $remote_contact = DI::userSession()->getRemoteContactID($owner_id);
101 $acc_sql = ' OR `accessible`';
105 * Construct permissions
107 * default permissions - anonymous user
109 $sql = " AND (allow_cid = ''
112 AND deny_gid = ''" . $acc_sql . ") ";
115 * Profile owner - everything is visible
117 if ($local_user && $local_user == $owner_id) {
120 * Authenticated visitor. Load the groups the visitor belongs to.
122 } elseif ($remote_contact) {
123 $gs = '<<>>'; // should be impossible to match
125 $groups = Group::getIdsByContactId($remote_contact);
127 if (is_array($groups)) {
128 foreach ($groups as $g) {
129 $gs .= '|<' . intval($g) . '>';
134 " AND (NOT (deny_cid REGEXP '<%d>' OR deny_gid REGEXP '%s')
135 AND (allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s'
136 OR (allow_cid = '' AND allow_gid = ''))" . $acc_sql . ") ",
137 intval($remote_contact),
139 intval($remote_contact),