X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=include%2Fsecurity.php;h=bcfddf8872cab6c909f0e8999dfc3800a25543d0;hb=f34d72c143ebf274c47d7bf21d9d7bf8bca5942f;hp=45f8d86b10f4808238059e97515cd5fc3eeffb1f;hpb=e5a5a7dc7bd8888897e8959a89cc21922580e5e4;p=friendica.git diff --git a/include/security.php b/include/security.php index 45f8d86b10..bcfddf8872 100644 --- a/include/security.php +++ b/include/security.php @@ -107,12 +107,35 @@ function authenticate_success($user_record, $login_initial = false, $interactive } } - $r = dba::select('user', ['uid', 'username', 'nickname'], - ['password' => $master_record['password'], 'email' => $master_record['email'], 'account_removed' => false]); - if (DBM::is_result($r)) { - $a->identities = dba::inArray($r); + if ($master_record['parent-uid'] == 0) { + // First add our own entry + $a->identities = [['uid' => $master_record['uid'], + 'username' => $master_record['username'], + 'nickname' => $master_record['nickname']]]; + + // Then add all the children + $r = dba::select('user', ['uid', 'username', 'nickname'], + ['parent-uid' => $master_record['uid'], 'account_removed' => false]); + if (DBM::is_result($r)) { + $a->identities = array_merge($a->identities, dba::inArray($r)); + } } else { + // Just ensure that the array is always defined $a->identities = []; + + // First entry is our parent + $r = dba::select('user', ['uid', 'username', 'nickname'], + ['uid' => $master_record['parent-uid'], 'account_removed' => false]); + if (DBM::is_result($r)) { + $a->identities = dba::inArray($r); + } + + // Then add all siblings + $r = dba::select('user', ['uid', 'username', 'nickname'], + ['parent-uid' => $master_record['parent-uid'], 'account_removed' => false]); + if (DBM::is_result($r)) { + $a->identities = array_merge($a->identities, dba::inArray($r)); + } } $r = dba::p("SELECT `user`.`uid`, `user`.`username`, `user`.`nickname` @@ -146,7 +169,7 @@ function authenticate_success($user_record, $login_initial = false, $interactive // Set the login date for all identities of the user dba::update('user', ['login_date' => DateTimeFormat::utcNow()], - ['password' => $master_record['password'], 'email' => $master_record['email'], 'account_removed' => false]); + ['parent-uid' => $master_record['uid'], 'account_removed' => false]); } if ($login_initial) { @@ -231,6 +254,7 @@ function can_write_wall($owner) return false; } +/// @TODO $groups should be array function permissions_sql($owner_id, $remote_verified = false, $groups = null) { $local_user = local_user(); @@ -252,6 +276,13 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null) */ if ($local_user && $local_user == $owner_id) { $sql = ''; + /** + * Authenticated visitor. Unless pre-verified, + * check that the contact belongs to this $owner_id + * and load the groups the visitor belongs to. + * If pre-verified, the caller is expected to have already + * done this and passed the groups into this function. + */ } elseif ($remote_user) { /* * Authenticated visitor. Unless pre-verified, @@ -275,9 +306,10 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null) if ($remote_verified) { $gs = '<<>>'; // should be impossible to match - if (is_array($groups) && count($groups)) { - foreach ($groups as $g) + if (is_array($groups)) { + foreach ($groups as $g) { $gs .= '|<' . intval($g) . '>'; + } } $sql = sprintf( @@ -382,12 +414,21 @@ function get_form_security_token($typename = '') function check_form_security_token($typename = '', $formname = 'form_security_token') { - if (!x($_REQUEST, $formname)) { - return false; + $hash = null; + + if (!empty($_REQUEST[$formname])) { + /// @TODO Careful, not secured! + $hash = $_REQUEST[$formname]; + } + + if (!empty($_SERVER['HTTP_X_CSRF_TOKEN'])) { + /// @TODO Careful, not secured! + $hash = $_SERVER['HTTP_X_CSRF_TOKEN']; } - /// @TODO Careful, not secured! - $hash = $_REQUEST[$formname]; + if (empty($hash)) { + return false; + } $max_livetime = 10800; // 3 hours