X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;ds=sidebyside;f=include%2Fsecurity.php;h=af18a281a6e4d49a2f0da5e264d72917a6a619be;hb=4a22710b3bd82143ab4e012e84d995d3768f7c50;hp=c443586c252a48fa946a6623ee28b5a9f0daa730;hpb=c938623a3d7e947c3b979466253ba5708af3f6b4;p=friendica.git diff --git a/include/security.php b/include/security.php index c443586c25..af18a281a6 100644 --- a/include/security.php +++ b/include/security.php @@ -1,11 +1,18 @@ $user["uid"], + $value = json_encode(["uid" => $user["uid"], "hash" => cookie_hash($user), - "ip" => $_SERVER['REMOTE_ADDR'])); + "ip" => defaults($_SERVER, 'REMOTE_ADDR', '0.0.0.0')]); } else { $value = ""; } @@ -65,7 +72,7 @@ function authenticate_success($user_record, $login_initial = false, $interactive $_SESSION['page_flags'] = $user_record['page-flags']; $_SESSION['my_url'] = System::baseUrl() . '/profile/' . $user_record['nickname']; $_SESSION['my_address'] = $user_record['nickname'] . '@' . substr(System::baseUrl(), strpos(System::baseUrl(), '://') + 3); - $_SESSION['addr'] = $_SERVER['REMOTE_ADDR']; + $_SESSION['addr'] = defaults($_SERVER, 'REMOTE_ADDR', '0.0.0.0'); $a->user = $user_record; @@ -73,10 +80,10 @@ function authenticate_success($user_record, $login_initial = false, $interactive if ($a->user['login_date'] <= NULL_DATE) { $_SESSION['return_url'] = 'profile_photo/new'; $a->module = 'profile_photo'; - info(t("Welcome ") . $a->user['username'] . EOL); - info(t('Please upload a profile photo.') . EOL); + info(L10n::t("Welcome ") . $a->user['username'] . EOL); + info(L10n::t('Please upload a profile photo.') . EOL); } else { - info(t("Welcome back ") . $a->user['username'] . EOL); + info(L10n::t("Welcome back ") . $a->user['username'] . EOL); } } @@ -94,30 +101,51 @@ function authenticate_success($user_record, $login_initial = false, $interactive $master_record = $a->user; if ((x($_SESSION, 'submanage')) && intval($_SESSION['submanage'])) { - $r = dba::fetch_first("SELECT * FROM `user` WHERE `uid` = ? LIMIT 1", - intval($_SESSION['submanage']) - ); - if (DBM::is_result($r)) { - $master_record = $r; + $user = DBA::selectFirst('user', [], ['uid' => $_SESSION['submanage']]); + if (DBA::isResult($user)) { + $master_record = $user; } } - $r = dba::select('user', array('uid', 'username', 'nickname'), - array('password' => $master_record['password'], 'email' => $master_record['email'], 'account_removed' => false)); - if (DBM::is_result($r)) { - $a->identities = dba::inArray($r); + if ($master_record['parent-uid'] == 0) { + // First add our own entry + $a->identities = [['uid' => $master_record['uid'], + 'username' => $master_record['username'], + 'nickname' => $master_record['nickname']]]; + + // Then add all the children + $r = DBA::select('user', ['uid', 'username', 'nickname'], + ['parent-uid' => $master_record['uid'], 'account_removed' => false]); + if (DBA::isResult($r)) { + $a->identities = array_merge($a->identities, DBA::toArray($r)); + } } else { - $a->identities = array(); + // Just ensure that the array is always defined + $a->identities = []; + + // First entry is our parent + $r = DBA::select('user', ['uid', 'username', 'nickname'], + ['uid' => $master_record['parent-uid'], 'account_removed' => false]); + if (DBA::isResult($r)) { + $a->identities = DBA::toArray($r); + } + + // Then add all siblings + $r = DBA::select('user', ['uid', 'username', 'nickname'], + ['parent-uid' => $master_record['parent-uid'], 'account_removed' => false]); + if (DBA::isResult($r)) { + $a->identities = array_merge($a->identities, DBA::toArray($r)); + } } - $r = dba::p("SELECT `user`.`uid`, `user`.`username`, `user`.`nickname` + $r = DBA::p("SELECT `user`.`uid`, `user`.`username`, `user`.`nickname` FROM `manage` INNER JOIN `user` ON `manage`.`mid` = `user`.`uid` WHERE `user`.`account_removed` = 0 AND `manage`.`uid` = ?", $master_record['uid'] ); - if (DBM::is_result($r)) { - $a->identities = array_merge($a->identities, dba::inArray($r)); + if (DBA::isResult($r)) { + $a->identities = array_merge($a->identities, DBA::toArray($r)); } if ($login_initial) { @@ -127,37 +155,39 @@ function authenticate_success($user_record, $login_initial = false, $interactive logger('auth_identities refresh: ' . print_r($a->identities, true), LOGGER_DEBUG); } - $r = dba::fetch_first("SELECT * FROM `contact` WHERE `uid` = ? AND `self` LIMIT 1", $_SESSION['uid']); - if (DBM::is_result($r)) { - $a->contact = $r; - $a->cid = $r['id']; + $contact = DBA::selectFirst('contact', [], ['uid' => $_SESSION['uid'], 'self' => true]); + if (DBA::isResult($contact)) { + $a->contact = $contact; + $a->cid = $contact['id']; $_SESSION['cid'] = $a->cid; } header('X-Account-Management-Status: active; name="' . $a->user['username'] . '"; id="' . $a->user['nickname'] . '"'); if ($login_initial || $login_refresh) { - dba::update('user', array('login_date' => datetime_convert()), array('uid' => $_SESSION['uid'])); + DBA::update('user', ['login_date' => DateTimeFormat::utcNow()], ['uid' => $_SESSION['uid']]); // Set the login date for all identities of the user - dba::update('user', array('login_date' => datetime_convert()), - array('password' => $master_record['password'], 'email' => $master_record['email'], 'account_removed' => false)); + DBA::update('user', ['login_date' => DateTimeFormat::utcNow()], + ['parent-uid' => $master_record['uid'], 'account_removed' => false]); } if ($login_initial) { - // If the user specified to remember the authentication, then set a cookie - // that expires after one week (the default is when the browser is closed). - // The cookie will be renewed automatically. - // The week ensures that sessions will expire after some inactivity. + /* + * If the user specified to remember the authentication, then set a cookie + * that expires after one week (the default is when the browser is closed). + * The cookie will be renewed automatically. + * The week ensures that sessions will expire after some inactivity. + */ if ($_SESSION['remember']) { - logger('Injecting cookie for remembered user ' . $_SESSION['remember_user']['nickname']); + logger('Injecting cookie for remembered user ' . $a->user['nickname']); new_cookie(604800, $user_record); unset($_SESSION['remember']); } } if ($login_initial) { - call_hooks('logged_in', $a->user); + Addon::callHooks('logged_in', $a->user); if (($a->module !== 'home') && isset($_SESSION['return_url'])) { goaway(System::baseUrl() . '/' . $_SESSION['return_url']); @@ -165,7 +195,7 @@ function authenticate_success($user_record, $login_initial = false, $interactive } } -function can_write_wall(App $a, $owner) +function can_write_wall($owner) { static $verified = 0; @@ -174,8 +204,11 @@ function can_write_wall(App $a, $owner) } $uid = local_user(); + if ($uid == $owner) { + return true; + } - if (($uid) && ($uid == $owner)) { + if (local_user() && ($owner == 0)) { return true; } @@ -210,12 +243,12 @@ function can_write_wall(App $a, $owner) AND `user`.`blockwall` = 0 AND `readonly` = 0 AND ( `contact`.`rel` IN ( %d , %d ) OR `user`.`page-flags` = %d ) LIMIT 1", intval($owner), intval($cid), - intval(CONTACT_IS_SHARING), - intval(CONTACT_IS_FRIEND), - intval(PAGE_COMMUNITY) + intval(Contact::SHARING), + intval(Contact::FRIEND), + intval(Contact::PAGE_COMMUNITY) ); - if (DBM::is_result($r)) { + if (DBA::isResult($r)) { $verified = 2; return true; } else { @@ -227,6 +260,7 @@ function can_write_wall(App $a, $owner) return false; } +/// @TODO $groups should be array function permissions_sql($owner_id, $remote_verified = false, $groups = null) { $local_user = local_user(); @@ -248,6 +282,13 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null) */ if ($local_user && $local_user == $owner_id) { $sql = ''; + /** + * Authenticated visitor. Unless pre-verified, + * check that the contact belongs to this $owner_id + * and load the groups the visitor belongs to. + * If pre-verified, the caller is expected to have already + * done this and passed the groups into this function. + */ } elseif ($remote_user) { /* * Authenticated visitor. Unless pre-verified, @@ -262,7 +303,7 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null) intval($remote_user), intval($owner_id) ); - if (DBM::is_result($r)) { + if (DBA::isResult($r)) { $remote_verified = true; $groups = Group::getIdsByContactId($remote_user); } @@ -271,9 +312,10 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null) if ($remote_verified) { $gs = '<<>>'; // should be impossible to match - if (is_array($groups) && count($groups)) { - foreach ($groups as $g) + if (is_array($groups)) { + foreach ($groups as $g) { $gs .= '|<' . intval($g) . '>'; + } } $sql = sprintf( @@ -282,9 +324,9 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null) ) ", intval($remote_user), - dbesc($gs), + DBA::escape($gs), intval($remote_user), - dbesc($gs) + DBA::escape($gs) ); } } @@ -301,12 +343,7 @@ function item_permissions_sql($owner_id, $remote_verified = false, $groups = nul * * default permissions - anonymous user */ - $sql = " AND `item`.allow_cid = '' - AND `item`.allow_gid = '' - AND `item`.deny_cid = '' - AND `item`.deny_gid = '' - AND `item`.private = 0 - "; + $sql = " AND NOT `item`.`private`"; // Profile owner - everything is visible if ($local_user && ($local_user == $owner_id)) { @@ -319,37 +356,15 @@ function item_permissions_sql($owner_id, $remote_verified = false, $groups = nul * If pre-verified, the caller is expected to have already * done this and passed the groups into this function. */ - if (!$remote_verified) { - $r = q("SELECT id FROM contact WHERE id = %d AND uid = %d AND blocked = 0 LIMIT 1", - intval($remote_user), - intval($owner_id) - ); - if (DBM::is_result($r)) { - $remote_verified = true; - $groups = Group::getIdsByContactId($remote_user); - } - } - if ($remote_verified) { - - $gs = '<<>>'; // should be impossible to match + $set = PermissionSet::get($owner_id, $remote_user, $groups); - if (is_array($groups) && count($groups)) { - foreach ($groups as $g) { - $gs .= '|<' . intval($g) . '>'; - } - } - - $sql = sprintf( - " AND ( `item`.private = 0 OR ( `item`.private in (1,2) AND `item`.`wall` = 1 - AND ( NOT (`item`.deny_cid REGEXP '<%d>' OR `item`.deny_gid REGEXP '%s') - AND ( `item`.allow_cid REGEXP '<%d>' OR `item`.allow_gid REGEXP '%s' OR ( `item`.allow_cid = '' AND `item`.allow_gid = ''))))) - ", - intval($remote_user), - dbesc($gs), - intval($remote_user), - dbesc($gs) - ); + if (!empty($set)) { + $sql_set = " OR (`item`.`private` IN (1,2) AND `item`.`wall` AND `item`.`psid` IN (" . implode(',', $set) . "))"; + } else { + $sql_set = ''; } + + $sql = " AND (NOT `item`.`private`" . $sql_set . ")"; } return $sql; @@ -378,12 +393,21 @@ function get_form_security_token($typename = '') function check_form_security_token($typename = '', $formname = 'form_security_token') { - if (!x($_REQUEST, $formname)) { - return false; + $hash = null; + + if (!empty($_REQUEST[$formname])) { + /// @TODO Careful, not secured! + $hash = $_REQUEST[$formname]; + } + + if (!empty($_SERVER['HTTP_X_CSRF_TOKEN'])) { + /// @TODO Careful, not secured! + $hash = $_SERVER['HTTP_X_CSRF_TOKEN']; } - /// @TODO Careful, not secured! - $hash = $_REQUEST[$formname]; + if (empty($hash)) { + return false; + } $max_livetime = 10800; // 3 hours @@ -401,7 +425,7 @@ function check_form_security_token($typename = '', $formname = 'form_security_to function check_form_security_std_err_msg() { - return t('The form security token was not correct. This probably happened because the form has been opened for too long (>3 hours) before submitting it.') . EOL; + return L10n::t("The form security token was not correct. This probably happened because the form has been opened for too long \x28>3 hours\x29 before submitting it.") . EOL; } function check_form_security_token_redirectOnErr($err_redirect, $typename = '', $formname = 'form_security_token')