src/Util/Security.php

   1 <?php
   2 /**
   3  * @file /src/Util/Security.php
   4  */
   5
   6 namespace Friendica\Util;
   7
   8 use Friendica\BaseObject;
   9 use Friendica\Database\DBA;
  10 use Friendica\Model\Contact;
  11 use Friendica\Model\Group;
  12 use Friendica\Model\User;
  13 use Friendica\Core\Session;
  14
  15 /**
  16  * Secures that User is allow to do requests
  17  */
  18 class Security extends BaseObject
  19 {
  20         public static function canWriteToUserWall($owner)
  21         {
  22                 static $verified = 0;
  23
  24                 if (!Session::isAuthenticated()) {
  25                         return false;
  26                 }
  27
  28                 $uid = local_user();
  29                 if ($uid == $owner) {
  30                         return true;
  31                 }
  32
  33                 if (local_user() && ($owner == 0)) {
  34                         return true;
  35                 }
  36
  37                 if (!empty(Session::getRemoteContactID($owner))) {
  38                         // use remembered decision and avoid a DB lookup for each and every display item
  39                         // DO NOT use this function if there are going to be multiple owners
  40                         // We have a contact-id for an authenticated remote user, this block determines if the contact
  41                         // belongs to this page owner, and has the necessary permissions to post content
  42
  43                         if ($verified === 2) {
  44                                 return true;
  45                         } elseif ($verified === 1) {
  46                                 return false;
  47                         } else {
  48                                 $cid = Session::getRemoteContactID($owner);
  49                                 if (!$cid) {
  50                                         return false;
  51                                 }
  52
  53                                 $r = q("SELECT `contact`.*, `user`.`page-flags` FROM `contact` INNER JOIN `user` on `user`.`uid` = `contact`.`uid`
  54                                         WHERE `contact`.`uid` = %d AND `contact`.`id` = %d AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0
  55                                         AND `user`.`blockwall` = 0 AND `readonly` = 0  AND (`contact`.`rel` IN (%d , %d) OR `user`.`page-flags` = %d) LIMIT 1",
  56                                         intval($owner),
  57                                         intval($cid),
  58                                         intval(Contact::SHARING),
  59                                         intval(Contact::FRIEND),
  60                                         intval(User::PAGE_FLAGS_COMMUNITY)
  61                                 );
  62
  63                                 if (DBA::isResult($r)) {
  64                                         $verified = 2;
  65                                         return true;
  66                                 } else {
  67                                         $verified = 1;
  68                                 }
  69                         }
  70                 }
  71
  72                 return false;
  73         }
  74
  75         public static function getPermissionsSQLByUserId($owner_id)
  76         {
  77                 $local_user = local_user();
  78                 $remote_contact = Session::getRemoteContactID($owner_id);
  79
  80                 /*
  81                  * Construct permissions
  82                  *
  83                  * default permissions - anonymous user
  84                  */
  85                 $sql = " AND allow_cid = ''
  86                          AND allow_gid = ''
  87                          AND deny_cid  = ''
  88                          AND deny_gid  = '' ";
  89
  90                 /*
  91                  * Profile owner - everything is visible
  92                  */
  93                 if ($local_user && $local_user == $owner_id) {
  94                         $sql = '';
  95                 /*
  96                  * Authenticated visitor. Load the groups the visitor belongs to.
  97                  */
  98                 } elseif ($remote_contact) {
  99                         $gs = '<<>>'; // should be impossible to match
 100
 101                         $groups = Group::getIdsByContactId($remote_contact);
 102
 103                         if (is_array($groups)) {
 104                                 foreach ($groups as $g) {
 105                                         $gs .= '|<' . intval($g) . '>';
 106                                 }
 107                         }
 108
 109                         $sql = sprintf(
 110                                 " AND (NOT (deny_cid REGEXP '<%d>' OR deny_gid REGEXP '%s')
 111                                   AND (allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s' OR (allow_cid = '' AND allow_gid = ''))) ",
 112                                 intval($remote_contact),
 113                                 DBA::escape($gs),
 114                                 intval($remote_contact),
 115                                 DBA::escape($gs)
 116                         );
 117                 }
 118                 return $sql;
 119         }
 120 }