Prevent settings/userexport to be used by anonymous users

[friendica.git] / src / Repository / PermissionSet.php

diff --git a/src/Repository/PermissionSet.php b/src/Repository/PermissionSet.php
index ec0b91e0fe9c4e4e428739c424ca0f9e1009cd7e..c83e901765daa05e546993d7e6d68ff492d42267 100644 (file)
--- a/src/Repository/PermissionSet.php
+++ b/src/Repository/PermissionSet.php
@@ -1,6 +1,6 @@
 <?php
 /**
- * @copyright Copyright (C) 2020, Friendica
+ * @copyright Copyright (C) 2010-2021, the Friendica project
  *
  * @license GNU AGPL version 3 or any later version
  *
@@ -25,7 +25,6 @@ use Friendica\BaseRepository;
 use Friendica\Collection;
 use Friendica\Database\Database;
 use Friendica\Model;
-use Friendica\Model\Group;
 use Friendica\Network\HTTPException;
 use Friendica\Util\ACLFormatter;
 use Psr\Log\LoggerInterface;
@@ -93,17 +92,17 @@ class PermissionSet extends BaseRepository
        }
 
        /**
-        * @param array $condition
-        * @param array $params
+        * @param array    $condition
+        * @param array    $params
+        * @param int|null $min_id
         * @param int|null $max_id
-        * @param int|null $since_id
-        * @param int $limit
+        * @param int      $limit
         * @return Collection\PermissionSets
         * @throws \Exception
         */
-       public function selectByBoundaries(array $condition = [], array $params = [], int $max_id = null, int $since_id = null, int $limit = self::LIMIT)
+       public function selectByBoundaries(array $condition = [], array $params = [], int $min_id = null, int $max_id = null, int $limit = self::LIMIT)
        {
-               return parent::selectByBoundaries($condition, $params, $max_id, $since_id, $limit);
+               return parent::selectByBoundaries($condition, $params, $min_id, $max_id, $limit);
        }
 
        /**
@@ -162,9 +161,19 @@ class PermissionSet extends BaseRepository
         */
        public function selectByContactId($contact_id, $uid)
        {
+               $cdata = Model\Contact::getPublicAndUserContacID($contact_id, $uid);
+               if (!empty($cdata)) {
+                       $public_contact_str = '<' . $cdata['public'] . '>';
+                       $user_contact_str = '<' . $cdata['user'] . '>';
+                       $contact_id = $cdata['user'];
+               } else {
+                       $public_contact_str = '<' . $contact_id . '>';
+                       $user_contact_str = '';
+               }
+
                $groups = [];
-               if ($this->dba->exists('contact', ['id' => $contact_id, 'uid' => $uid, 'blocked' => false])) {
-                       $groups = Group::getIdsByContactId($contact_id);
+               if (!empty($user_contact_str) && $this->dba->exists('contact', ['id' => $contact_id, 'uid' => $uid, 'blocked' => false])) {
+                       $groups = Model\Group::getIdsByContactId($contact_id);
                }
 
                $group_str = '<<>>'; // should be impossible to match
@@ -172,11 +181,16 @@ class PermissionSet extends BaseRepository
                        $group_str .= '|<' . preg_quote($group_id) . '>';
                }
 
-               $contact_str = '<' . $contact_id . '>';
-
-               $condition = ["`uid` = ? AND (NOT (`deny_cid` REGEXP ? OR deny_gid REGEXP ?)
-                       AND (allow_cid REGEXP ? OR allow_gid REGEXP ? OR (allow_cid = '' AND allow_gid = '')))",
-                       $uid, $contact_str, $group_str, $contact_str, $group_str];
+               if (!empty($user_contact_str)) {
+                       $condition = ["`uid` = ? AND (NOT (`deny_cid` REGEXP ? OR `deny_cid` REGEXP ? OR deny_gid REGEXP ?)
+                               AND (allow_cid REGEXP ? OR allow_cid REGEXP ? OR allow_gid REGEXP ? OR (allow_cid = '' AND allow_gid = '')))",
+                               $uid, $user_contact_str, $public_contact_str, $group_str,
+                               $user_contact_str, $public_contact_str, $group_str];
+               } else {
+                       $condition = ["`uid` = ? AND (NOT (`deny_cid` REGEXP ? OR deny_gid REGEXP ?)
+                               AND (allow_cid REGEXP ? OR allow_gid REGEXP ? OR (allow_cid = '' AND allow_gid = '')))",
+                               $uid, $public_contact_str, $group_str, $public_contact_str, $group_str];
+               }
 
                return $this->select($condition);
        }