X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=include%2Fsecurity.php;h=9cff6707877e997616bbe206c973493076aa4689;hb=19aecb952dcd627dfee9de8fff5a7ea35339ae78;hp=b13a507cf483c124e5e1de3ed3817b205784d3aa;hpb=53b7e4b1021fff736f72abe15de9eff5fe65bd83;p=friendica.git diff --git a/include/security.php b/include/security.php index b13a507cf4..9cff670787 100644 --- a/include/security.php +++ b/include/security.php @@ -41,7 +41,7 @@ function new_cookie($time, $user = []) if ($user) { $value = json_encode(["uid" => $user["uid"], "hash" => cookie_hash($user), - "ip" => $_SERVER['REMOTE_ADDR']]); + "ip" => defaults($_SERVER, 'REMOTE_ADDR', '0.0.0.0')]); } else { $value = ""; } @@ -70,7 +70,7 @@ function authenticate_success($user_record, $login_initial = false, $interactive $_SESSION['page_flags'] = $user_record['page-flags']; $_SESSION['my_url'] = System::baseUrl() . '/profile/' . $user_record['nickname']; $_SESSION['my_address'] = $user_record['nickname'] . '@' . substr(System::baseUrl(), strpos(System::baseUrl(), '://') + 3); - $_SESSION['addr'] = $_SERVER['REMOTE_ADDR']; + $_SESSION['addr'] = defaults($_SERVER, 'REMOTE_ADDR', '0.0.0.0'); $a->user = $user_record; @@ -99,11 +99,9 @@ function authenticate_success($user_record, $login_initial = false, $interactive $master_record = $a->user; if ((x($_SESSION, 'submanage')) && intval($_SESSION['submanage'])) { - $r = dba::fetch_first("SELECT * FROM `user` WHERE `uid` = ? LIMIT 1", - intval($_SESSION['submanage']) - ); - if (DBM::is_result($r)) { - $master_record = $r; + $user = dba::selectFirst('user', [], ['uid' => $_SESSION['submanage']]); + if (DBM::is_result($user)) { + $master_record = $user; } } @@ -155,10 +153,10 @@ function authenticate_success($user_record, $login_initial = false, $interactive logger('auth_identities refresh: ' . print_r($a->identities, true), LOGGER_DEBUG); } - $r = dba::fetch_first("SELECT * FROM `contact` WHERE `uid` = ? AND `self` LIMIT 1", $_SESSION['uid']); - if (DBM::is_result($r)) { - $a->contact = $r; - $a->cid = $r['id']; + $contact = dba::selectFirst('contact', [], ['uid' => $_SESSION['uid'], 'self' => true]); + if (DBM::is_result($contact)) { + $a->contact = $contact; + $a->cid = $contact['id']; $_SESSION['cid'] = $a->cid; } @@ -206,6 +204,10 @@ function can_write_wall($owner) return true; } + if (local_user() && ($owner == 0)) { + return true; + } + if (remote_user()) { // use remembered decision and avoid a DB lookup for each and every display item // DO NOT use this function if there are going to be multiple owners @@ -254,6 +256,7 @@ function can_write_wall($owner) return false; } +/// @TODO $groups should be array function permissions_sql($owner_id, $remote_verified = false, $groups = null) { $local_user = local_user(); @@ -275,6 +278,13 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null) */ if ($local_user && $local_user == $owner_id) { $sql = ''; + /** + * Authenticated visitor. Unless pre-verified, + * check that the contact belongs to this $owner_id + * and load the groups the visitor belongs to. + * If pre-verified, the caller is expected to have already + * done this and passed the groups into this function. + */ } elseif ($remote_user) { /* * Authenticated visitor. Unless pre-verified, @@ -298,9 +308,10 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null) if ($remote_verified) { $gs = '<<>>'; // should be impossible to match - if (is_array($groups) && count($groups)) { - foreach ($groups as $g) + if (is_array($groups)) { + foreach ($groups as $g) { $gs .= '|<' . intval($g) . '>'; + } } $sql = sprintf( @@ -332,7 +343,7 @@ function item_permissions_sql($owner_id, $remote_verified = false, $groups = nul AND `item`.allow_gid = '' AND `item`.deny_cid = '' AND `item`.deny_gid = '' - AND `item`.private = 0 + AND `item`.private != 1 "; // Profile owner - everything is visible