X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=include%2Fsecurity.php;h=cd00b5f7b0bbc36a75f511c8f865fe643164f6b7;hb=3befdc6920727cf8cdca4044e2333819de81a549;hp=56d4cad36fa529eb821b48692e1cb9aceef5f478;hpb=083d660f615563c99d26d7ead29409afac0ba8ba;p=friendica.git diff --git a/include/security.php b/include/security.php index 56d4cad36f..cd00b5f7b0 100644 --- a/include/security.php +++ b/include/security.php @@ -9,8 +9,8 @@ function authenticate_success($user_record, $login_initial = false, $interactive $_SESSION['mobile-theme'] = get_pconfig($user_record['uid'], 'system', 'mobile_theme'); $_SESSION['authenticated'] = 1; $_SESSION['page_flags'] = $user_record['page-flags']; - $_SESSION['my_url'] = $a->get_baseurl() . '/profile/' . $user_record['nickname']; - $_SESSION['my_address'] = $user_record['nickname'] . '@' . substr($a->get_baseurl(),strpos($a->get_baseurl(),'://')+3); + $_SESSION['my_url'] = App::get_baseurl() . '/profile/' . $user_record['nickname']; + $_SESSION['my_address'] = $user_record['nickname'] . '@' . substr(App::get_baseurl(),strpos(App::get_baseurl(),'://')+3); $_SESSION['addr'] = $_SERVER['REMOTE_ADDR']; $a->user = $user_record; @@ -36,31 +36,31 @@ function authenticate_success($user_record, $login_initial = false, $interactive $a->timezone = $a->user['timezone']; } - $master_record = $a->user; + $master_record = $a->user; if((x($_SESSION,'submanage')) && intval($_SESSION['submanage'])) { $r = q("select * from user where uid = %d limit 1", intval($_SESSION['submanage']) ); - if(count($r)) + if (dbm::is_result($r)) $master_record = $r[0]; } - $r = q("SELECT `uid`,`username`,`nickname` FROM `user` WHERE `password` = '%s' AND `email` = '%s'", + $r = q("SELECT `uid`,`username`,`nickname` FROM `user` WHERE `password` = '%s' AND `email` = '%s' AND `account_removed` = 0 ", dbesc($master_record['password']), dbesc($master_record['email']) ); - if($r && count($r)) + if (dbm::is_result($r)) $a->identities = $r; else $a->identities = array(); - $r = q("select `user`.`uid`, `user`.`username`, `user`.`nickname` - from manage left join user on manage.mid = user.uid - where `manage`.`uid` = %d", + $r = q("select `user`.`uid`, `user`.`username`, `user`.`nickname` + from manage INNER JOIN user on manage.mid = user.uid where `user`.`account_removed` = 0 + and `manage`.`uid` = %d", intval($master_record['uid']) ); - if($r && count($r)) + if (dbm::is_result($r)) $a->identities = array_merge($a->identities,$r); if($login_initial) @@ -70,7 +70,7 @@ function authenticate_success($user_record, $login_initial = false, $interactive $r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `self` = 1 LIMIT 1", intval($_SESSION['uid'])); - if(count($r)) { + if (dbm::is_result($r)) { $a->contact = $r[0]; $a->cid = $r[0]['id']; $_SESSION['cid'] = $a->cid; @@ -79,19 +79,27 @@ function authenticate_success($user_record, $login_initial = false, $interactive header('X-Account-Management-Status: active; name="' . $a->user['username'] . '"; id="' . $a->user['nickname'] .'"'); if($login_initial || $login_refresh) { - $l = get_browser_language(); - q("UPDATE `user` SET `login_date` = '%s', `language` = '%s' WHERE `uid` = %d LIMIT 1", + q("UPDATE `user` SET `login_date` = '%s' WHERE `uid` = %d", dbesc(datetime_convert()), - dbesc($l), intval($_SESSION['uid']) ); + + // Set the login date for all identities of the user + q("UPDATE `user` SET `login_date` = '%s' WHERE `password` = '%s' AND `email` = '%s' AND `account_removed` = 0", + dbesc(datetime_convert()), + dbesc($master_record['password']), + dbesc($master_record['email']) + ); + + } - if($login_initial) { + if ($login_initial) { call_hooks('logged_in', $a->user); - if(($a->module !== 'home') && isset($_SESSION['return_url'])) - goaway($a->get_baseurl() . '/' . $_SESSION['return_url']); + if (($a->module !== 'home') && isset($_SESSION['return_url'])) { + goaway(App::get_baseurl() . '/' . $_SESSION['return_url']); + } } } @@ -102,16 +110,17 @@ function can_write_wall(&$a,$owner) { static $verified = 0; - if((! (local_user())) && (! (remote_user()))) + if ((! (local_user())) && (! (remote_user()))) { return false; + } $uid = local_user(); - if(($uid) && ($uid == $owner)) { + if (($uid) && ($uid == $owner)) { return true; } - if(remote_user()) { + if (remote_user()) { // use remembered decision and avoid a DB lookup for each and every display item // DO NOT use this function if there are going to be multiple owners @@ -119,27 +128,27 @@ function can_write_wall(&$a,$owner) { // We have a contact-id for an authenticated remote user, this block determines if the contact // belongs to this page owner, and has the necessary permissions to post content - if($verified === 2) + if ($verified === 2) { return true; - elseif($verified === 1) + } elseif ($verified === 1) { return false; - else { + } else { $cid = 0; - if(is_array($_SESSION['remote'])) { - foreach($_SESSION['remote'] as $visitor) { - if($visitor['uid'] == $owner) { + if (is_array($_SESSION['remote'])) { + foreach ($_SESSION['remote'] as $visitor) { + if ($visitor['uid'] == $owner) { $cid = $visitor['cid']; break; } } } - if(! $cid) + if (! $cid) { return false; + } - - $r = q("SELECT `contact`.*, `user`.`page-flags` FROM `contact` LEFT JOIN `user` on `user`.`uid` = `contact`.`uid` + $r = q("SELECT `contact`.*, `user`.`page-flags` FROM `contact` INNER JOIN `user` on `user`.`uid` = `contact`.`uid` WHERE `contact`.`uid` = %d AND `contact`.`id` = %d AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0 AND `user`.`blockwall` = 0 AND `readonly` = 0 AND ( `contact`.`rel` IN ( %d , %d ) OR `user`.`page-flags` = %d ) LIMIT 1", intval($owner), @@ -149,7 +158,7 @@ function can_write_wall(&$a,$owner) { intval(PAGE_COMMUNITY) ); - if(count($r)) { + if (dbm::is_result($r)) { $verified = 2; return true; } @@ -203,13 +212,13 @@ function permissions_sql($owner_id,$remote_verified = false,$groups = null) { intval($remote_user), intval($owner_id) ); - if(count($r)) { + if (dbm::is_result($r)) { $remote_verified = true; $groups = init_groups_visitor($remote_user); } } if($remote_verified) { - + $gs = '<<>>'; // should be impossible to match if(is_array($groups) && count($groups)) { @@ -255,19 +264,19 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null) * default permissions - anonymous user */ - $sql = " AND allow_cid = '' - AND allow_gid = '' - AND deny_cid = '' - AND deny_gid = '' - AND private = 0 + $sql = " AND `item`.allow_cid = '' + AND `item`.allow_gid = '' + AND `item`.deny_cid = '' + AND `item`.deny_gid = '' + AND `item`.private = 0 "; /** * Profile owner - everything is visible */ - if(($local_user) && ($local_user == $owner_id)) { - $sql = ''; + if($local_user && ($local_user == $owner_id)) { + $sql = ''; } /** @@ -285,13 +294,13 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null) intval($remote_user), intval($owner_id) ); - if(count($r)) { + if (dbm::is_result($r)) { $remote_verified = true; $groups = init_groups_visitor($remote_user); } } if($remote_verified) { - + $gs = '<<>>'; // should be impossible to match if(is_array($groups) && count($groups)) { @@ -300,7 +309,7 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null) } $sql = sprintf( - " AND ( private = 0 OR ( private = 1 AND wall = 1 AND ( allow_cid = '' OR allow_cid REGEXP '<%d>' ) + /*" AND ( private = 0 OR ( private in (1,2) AND wall = 1 AND ( allow_cid = '' OR allow_cid REGEXP '<%d>' ) AND ( deny_cid = '' OR NOT deny_cid REGEXP '<%d>' ) AND ( allow_gid = '' OR allow_gid REGEXP '%s' ) AND ( deny_gid = '' OR NOT deny_gid REGEXP '%s'))) @@ -309,6 +318,15 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null) intval($remote_user), dbesc($gs), dbesc($gs) +*/ + " AND ( `item`.private = 0 OR ( `item`.private in (1,2) AND `item`.`wall` = 1 + AND ( NOT (`item`.deny_cid REGEXP '<%d>' OR `item`.deny_gid REGEXP '%s') + AND ( `item`.allow_cid REGEXP '<%d>' OR `item`.allow_gid REGEXP '%s' OR ( `item`.allow_cid = '' AND `item`.allow_gid = ''))))) + ", + intval($remote_user), + dbesc($gs), + intval($remote_user), + dbesc($gs) ); } } @@ -362,7 +380,7 @@ function check_form_security_token_redirectOnErr($err_redirect, $typename = '', logger('check_form_security_token failed: user ' . $a->user['guid'] . ' - form element ' . $typename); logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA); notice( check_form_security_std_err_msg() ); - goaway($a->get_baseurl() . $err_redirect ); + goaway(App::get_baseurl() . $err_redirect ); } } function check_form_security_token_ForbiddenOnErr($typename = '', $formname = 'form_security_token') { @@ -387,7 +405,7 @@ function init_groups_visitor($contact_id) { WHERE `contact-id` = %d ", intval($contact_id) ); - if(count($r)) { + if (dbm::is_result($r)) { foreach($r as $rr) $groups[] = $rr['gid']; }