bug fix #1115

[friendica.git] / include / security.php

diff --git a/include/security.php b/include/security.php
index 126f162377f39734099628e27c207ae48675a7c7..6e722d673bb7b664b9eddb4bbafd1a8c99af0bc2 100644 (file)
--- a/include/security.php
+++ b/include/security.php
@@ -36,7 +36,7 @@ function authenticate_success($user_record, $login_initial = false, $interactive
                $a->timezone = $a->user['timezone'];
        }
 
-       $master_record = $a->user;      
+       $master_record = $a->user;
 
        if((x($_SESSION,'submanage')) && intval($_SESSION['submanage'])) {
                $r = q("select * from user where uid = %d limit 1",
@@ -46,7 +46,7 @@ function authenticate_success($user_record, $login_initial = false, $interactive
                        $master_record = $r[0];
        }
 
-       $r = q("SELECT `uid`,`username`,`nickname` FROM `user` WHERE `password` = '%s' AND `email` = '%s'",
+       $r = q("SELECT `uid`,`username`,`nickname` FROM `user` WHERE `password` = '%s' AND `email` = '%s' AND `account_removed` = 0 ",
                dbesc($master_record['password']),
                dbesc($master_record['email'])
        );
@@ -56,8 +56,8 @@ function authenticate_success($user_record, $login_initial = false, $interactive
                $a->identities = array();
 
        $r = q("select `user`.`uid`, `user`.`username`, `user`.`nickname` 
-               from manage left join user on manage.mid = user.uid 
-               where `manage`.`uid` = %d",
+               from manage INNER JOIN user on manage.mid = user.uid where `user`.`account_removed` = 0
+               and `manage`.`uid` = %d",
                intval($master_record['uid'])
        );
        if($r && count($r))
@@ -81,7 +81,7 @@ function authenticate_success($user_record, $login_initial = false, $interactive
        if($login_initial || $login_refresh) {
                $l = get_browser_language();
 
-               q("UPDATE `user` SET `login_date` = '%s', `language` = '%s' WHERE `uid` = %d LIMIT 1",
+               q("UPDATE `user` SET `login_date` = '%s', `language` = '%s' WHERE `uid` = %d",
                        dbesc(datetime_convert()),
                        dbesc($l),
                        intval($_SESSION['uid'])
@@ -139,7 +139,7 @@ function can_write_wall(&$a,$owner) {
                                return false;
 
 
-                       $r = q("SELECT `contact`.*, `user`.`page-flags` FROM `contact` LEFT JOIN `user` on `user`.`uid` = `contact`.`uid` 
+                       $r = q("SELECT `contact`.*, `user`.`page-flags` FROM `contact` INNER JOIN `user` on `user`.`uid` = `contact`.`uid` 
                                WHERE `contact`.`uid` = %d AND `contact`.`id` = %d AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0 
                                AND `user`.`blockwall` = 0 AND `readonly` = 0  AND ( `contact`.`rel` IN ( %d , %d ) OR `user`.`page-flags` = %d ) LIMIT 1",
                                intval($owner),
@@ -209,7 +209,7 @@ function permissions_sql($owner_id,$remote_verified = false,$groups = null) {
                        }
                }
                if($remote_verified) {
-               
+
                        $gs = '<<>>'; // should be impossible to match
 
                        if(is_array($groups) && count($groups)) {
@@ -255,11 +255,11 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null)
         * default permissions - anonymous user
         */
 
-       $sql = " AND allow_cid = '' 
-                        AND allow_gid = '' 
-                        AND deny_cid  = '' 
-                        AND deny_gid  = '' 
-                        AND private = 0
+       $sql = " AND `item`.allow_cid = ''
+                        AND `item`.allow_gid = ''
+                        AND `item`.deny_cid  = ''
+                        AND `item`.deny_gid  = ''
+                        AND `item`.private = 0
        ";
 
        /**
@@ -291,7 +291,7 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null)
                        }
                }
                if($remote_verified) {
-               
+
                        $gs = '<<>>'; // should be impossible to match
 
                        if(is_array($groups) && count($groups)) {
@@ -300,7 +300,7 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null)
                        } 
 
                        $sql = sprintf(
-                               " AND ( private = 0 OR ( private in (1,2) AND wall = 1 AND ( allow_cid = '' OR allow_cid REGEXP '<%d>' ) 
+                               /*" AND ( private = 0 OR ( private in (1,2) AND wall = 1 AND ( allow_cid = '' OR allow_cid REGEXP '<%d>' ) 
                                  AND ( deny_cid  = '' OR  NOT deny_cid REGEXP '<%d>' ) 
                                  AND ( allow_gid = '' OR allow_gid REGEXP '%s' )
                                  AND ( deny_gid  = '' OR NOT deny_gid REGEXP '%s'))) 
@@ -309,6 +309,15 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null)
                                intval($remote_user),
                                dbesc($gs),
                                dbesc($gs)
+*/
+                               " AND ( `item`.private = 0 OR ( `item`.private in (1,2) AND `item`.`wall` = 1
+                                 AND ( NOT (`item`.deny_cid REGEXP '<%d>' OR `item`.deny_gid REGEXP '%s')
+                                 AND ( `item`.allow_cid REGEXP '<%d>' OR `item`.allow_gid REGEXP '%s' OR ( `item`.allow_cid = '' AND `item`.allow_gid = '')))))
+                               ",
+                               intval($remote_user),
+                               dbesc($gs),
+                               intval($remote_user),
+                               dbesc($gs)
                        );
                }
        }