src/Util/Security.php

   1 <?php
   2 /**
   3  * @file /src/Util/Security.php
   4  */
   5
   6 namespace Friendica\Util;
   7
   8 use Friendica\BaseObject;
   9 use Friendica\Database\DBA;
  10 use Friendica\Model\Contact;
  11 use Friendica\Model\Group;
  12 use Friendica\Model\User;
  13
  14 /**
  15  * Secures that User is allow to do requests
  16  */
  17 class Security extends BaseObject
  18 {
  19         public static function canWriteToUserWall($owner)
  20         {
  21                 static $verified = 0;
  22
  23                 if (!local_user() && !remote_user()) {
  24                         return false;
  25                 }
  26
  27                 $uid = local_user();
  28                 if ($uid == $owner) {
  29                         return true;
  30                 }
  31
  32                 if (local_user() && ($owner == 0)) {
  33                         return true;
  34                 }
  35
  36                 if (remote_user()) {
  37                         // use remembered decision and avoid a DB lookup for each and every display item
  38                         // DO NOT use this function if there are going to be multiple owners
  39                         // We have a contact-id for an authenticated remote user, this block determines if the contact
  40                         // belongs to this page owner, and has the necessary permissions to post content
  41
  42                         if ($verified === 2) {
  43                                 return true;
  44                         } elseif ($verified === 1) {
  45                                 return false;
  46                         } else {
  47                                 $cid = 0;
  48
  49                                 if (!empty($_SESSION['remote'])) {
  50                                         foreach ($_SESSION['remote'] as $visitor) {
  51                                                 if ($visitor['uid'] == $owner) {
  52                                                         $cid = $visitor['cid'];
  53                                                         break;
  54                                                 }
  55                                         }
  56                                 }
  57
  58                                 if (!$cid) {
  59                                         return false;
  60                                 }
  61
  62                                 $r = q("SELECT `contact`.*, `user`.`page-flags` FROM `contact` INNER JOIN `user` on `user`.`uid` = `contact`.`uid`
  63                                         WHERE `contact`.`uid` = %d AND `contact`.`id` = %d AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0
  64                                         AND `user`.`blockwall` = 0 AND `readonly` = 0  AND ( `contact`.`rel` IN ( %d , %d ) OR `user`.`page-flags` = %d ) LIMIT 1",
  65                                         intval($owner),
  66                                         intval($cid),
  67                                         intval(Contact::SHARING),
  68                                         intval(Contact::FRIEND),
  69                                         intval(User::PAGE_FLAGS_COMMUNITY)
  70                                 );
  71
  72                                 if (DBA::isResult($r)) {
  73                                         $verified = 2;
  74                                         return true;
  75                                 } else {
  76                                         $verified = 1;
  77                                 }
  78                         }
  79                 }
  80
  81                 return false;
  82         }
  83
  84         /// @TODO $groups should be array
  85         public static function getPermissionsSQLByUserId($owner_id, $remote_verified = false, $groups = null)
  86         {
  87                 $local_user = local_user();
  88                 $remote_user = remote_user();
  89
  90                 /*
  91                  * Construct permissions
  92                  *
  93                  * default permissions - anonymous user
  94                  */
  95                 $sql = " AND allow_cid = ''
  96                                  AND allow_gid = ''
  97                                  AND deny_cid  = ''
  98                                  AND deny_gid  = ''
  99                 ";
 100
 101                 /*
 102                  * Profile owner - everything is visible
 103                  */
 104                 if ($local_user && $local_user == $owner_id) {
 105                         $sql = '';
 106                 /*
 107                  * Authenticated visitor. Unless pre-verified,
 108                  * check that the contact belongs to this $owner_id
 109                  * and load the groups the visitor belongs to.
 110                  * If pre-verified, the caller is expected to have already
 111                  * done this and passed the groups into this function.
 112                  */
 113                 } elseif ($remote_user) {
 114                         /*
 115                          * Authenticated visitor. Unless pre-verified,
 116                          * check that the contact belongs to this $owner_id
 117                          * and load the groups the visitor belongs to.
 118                          * If pre-verified, the caller is expected to have already
 119                          * done this and passed the groups into this function.
 120                          */
 121
 122                         if (!$remote_verified) {
 123                                 if (DBA::exists('contact', ['id' => $remote_user, 'uid' => $owner_id, 'blocked' => false])) {
 124                                         $remote_verified = true;
 125                                         $groups = Group::getIdsByContactId($remote_user);
 126                                 }
 127                         }
 128
 129                         if ($remote_verified) {
 130                                 $gs = '<<>>'; // should be impossible to match
 131
 132                                 if (is_array($groups)) {
 133                                         foreach ($groups as $g) {
 134                                                 $gs .= '|<' . intval($g) . '>';
 135                                         }
 136                                 }
 137
 138                                 $sql = sprintf(
 139                                         " AND ( NOT (deny_cid REGEXP '<%d>' OR deny_gid REGEXP '%s')
 140                                           AND ( allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
 141                                           )
 142                                         ",
 143                                         intval($remote_user),
 144                                         DBA::escape($gs),
 145                                         intval($remote_user),
 146                                         DBA::escape($gs)
 147                                 );
 148                         }
 149                 }
 150                 return $sql;
 151         }
 152
 153 }