X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=include%2Fsecurity.php;h=e8a03ad0fe9dfebd37525c9226c1830322521bae;hb=962fbc916647a0ab8fa3a6d73a3886741cdbe707;hp=d1387ca2260b39e732818b3954982359dbcfdbc3;hpb=610f017b28edc37212df6385126993f2dfc41f59;p=friendica.git

diff --git a/include/security.php b/include/security.php
index d1387ca226..e8a03ad0fe 100644
--- a/include/security.php
+++ b/include/security.php
@@ -1,12 +1,16 @@
 <?php
+/**
+ * @file include/security.php
+ */
 
-use Friendica\App;
 use Friendica\Core\Addon;
 use Friendica\Core\Config;
+use Friendica\Core\L10n;
 use Friendica\Core\PConfig;
 use Friendica\Core\System;
 use Friendica\Database\DBM;
 use Friendica\Model\Group;
+use Friendica\Util\DateTimeFormat;
 
 /**
  * @brief Calculate the hash that is needed for the "Friendica" cookie
@@ -74,10 +78,10 @@ function authenticate_success($user_record, $login_initial = false, $interactive
 		if ($a->user['login_date'] <= NULL_DATE) {
 			$_SESSION['return_url'] = 'profile_photo/new';
 			$a->module = 'profile_photo';
-			info(t("Welcome ") . $a->user['username'] . EOL);
-			info(t('Please upload a profile photo.') . EOL);
+			info(L10n::t("Welcome ") . $a->user['username'] . EOL);
+			info(L10n::t('Please upload a profile photo.') . EOL);
 		} else {
-			info(t("Welcome back ") . $a->user['username'] . EOL);
+			info(L10n::t("Welcome back ") . $a->user['username'] . EOL);
 		}
 	}
 
@@ -95,20 +99,41 @@ function authenticate_success($user_record, $login_initial = false, $interactive
 	$master_record = $a->user;
 
 	if ((x($_SESSION, 'submanage')) && intval($_SESSION['submanage'])) {
-		$r = dba::fetch_first("SELECT * FROM `user` WHERE `uid` = ? LIMIT 1",
-			intval($_SESSION['submanage'])
-		);
-		if (DBM::is_result($r)) {
-			$master_record = $r;
+		$user = dba::selectFirst('user', [], ['uid' => $_SESSION['submanage']]);
+		if (DBM::is_result($user)) {
+			$master_record = $user;
 		}
 	}
 
-	$r = dba::select('user', ['uid', 'username', 'nickname'],
-		['password' => $master_record['password'], 'email' => $master_record['email'], 'account_removed' => false]);
-	if (DBM::is_result($r)) {
-		$a->identities = dba::inArray($r);
+	if ($master_record['parent-uid'] == 0) {
+		// First add our own entry
+		$a->identities = [['uid' => $master_record['uid'],
+				'username' => $master_record['username'],
+				'nickname' => $master_record['nickname']]];
+
+		// Then add all the children
+		$r = dba::select('user', ['uid', 'username', 'nickname'],
+			['parent-uid' => $master_record['uid'], 'account_removed' => false]);
+		if (DBM::is_result($r)) {
+			$a->identities = array_merge($a->identities, dba::inArray($r));
+		}
 	} else {
+		// Just ensure that the array is always defined
 		$a->identities = [];
+
+		// First entry is our parent
+		$r = dba::select('user', ['uid', 'username', 'nickname'],
+			['uid' => $master_record['parent-uid'], 'account_removed' => false]);
+		if (DBM::is_result($r)) {
+			$a->identities = dba::inArray($r);
+		}
+
+		// Then add all siblings
+		$r = dba::select('user', ['uid', 'username', 'nickname'],
+			['parent-uid' => $master_record['parent-uid'], 'account_removed' => false]);
+		if (DBM::is_result($r)) {
+			$a->identities = array_merge($a->identities, dba::inArray($r));
+		}
 	}
 
 	$r = dba::p("SELECT `user`.`uid`, `user`.`username`, `user`.`nickname`
@@ -128,21 +153,21 @@ function authenticate_success($user_record, $login_initial = false, $interactive
 		logger('auth_identities refresh: ' . print_r($a->identities, true), LOGGER_DEBUG);
 	}
 
-	$r = dba::fetch_first("SELECT * FROM `contact` WHERE `uid` = ? AND `self` LIMIT 1", $_SESSION['uid']);
-	if (DBM::is_result($r)) {
-		$a->contact = $r;
-		$a->cid = $r['id'];
+	$contact = dba::selectFirst('contact', [], ['uid' => $_SESSION['uid'], 'self' => true]);
+	if (DBM::is_result($contact)) {
+		$a->contact = $contact;
+		$a->cid = $contact['id'];
 		$_SESSION['cid'] = $a->cid;
 	}
 
 	header('X-Account-Management-Status: active; name="' . $a->user['username'] . '"; id="' . $a->user['nickname'] . '"');
 
 	if ($login_initial || $login_refresh) {
-		dba::update('user', ['login_date' => datetime_convert()], ['uid' => $_SESSION['uid']]);
+		dba::update('user', ['login_date' => DateTimeFormat::utcNow()], ['uid' => $_SESSION['uid']]);
 
 		// Set the login date for all identities of the user
-		dba::update('user', ['login_date' => datetime_convert()],
-			['password' => $master_record['password'], 'email' => $master_record['email'], 'account_removed' => false]);
+		dba::update('user', ['login_date' => DateTimeFormat::utcNow()],
+			['parent-uid' => $master_record['uid'], 'account_removed' => false]);
 	}
 
 	if ($login_initial) {
@@ -227,6 +252,7 @@ function can_write_wall($owner)
 	return false;
 }
 
+/// @TODO $groups should be array
 function permissions_sql($owner_id, $remote_verified = false, $groups = null)
 {
 	$local_user = local_user();
@@ -248,6 +274,13 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null)
 	 */
 	if ($local_user && $local_user == $owner_id) {
 		$sql = '';
+	/**
+	 * Authenticated visitor. Unless pre-verified,
+	 * check that the contact belongs to this $owner_id
+	 * and load the groups the visitor belongs to.
+	 * If pre-verified, the caller is expected to have already
+	 * done this and passed the groups into this function.
+	 */
 	} elseif ($remote_user) {
 		/*
 		 * Authenticated visitor. Unless pre-verified,
@@ -271,9 +304,10 @@ function permissions_sql($owner_id, $remote_verified = false, $groups = null)
 		if ($remote_verified) {
 			$gs = '<<>>'; // should be impossible to match
 
-			if (is_array($groups) && count($groups)) {
-				foreach ($groups as $g)
+			if (is_array($groups)) {
+				foreach ($groups as $g) {
 					$gs .= '|<' . intval($g) . '>';
+				}
 			}
 
 			$sql = sprintf(
@@ -378,12 +412,21 @@ function get_form_security_token($typename = '')
 
 function check_form_security_token($typename = '', $formname = 'form_security_token')
 {
-	if (!x($_REQUEST, $formname)) {
-		return false;
+	$hash = null;
+
+	if (!empty($_REQUEST[$formname])) {
+		/// @TODO Careful, not secured!
+		$hash = $_REQUEST[$formname];
+	}
+
+	if (!empty($_SERVER['HTTP_X_CSRF_TOKEN'])) {
+		/// @TODO Careful, not secured!
+		$hash = $_SERVER['HTTP_X_CSRF_TOKEN'];
 	}
 
-	/// @TODO Careful, not secured!
-	$hash = $_REQUEST[$formname];
+	if (empty($hash)) {
+		return false;
+	}
 
 	$max_livetime = 10800; // 3 hours
 
@@ -401,7 +444,7 @@ function check_form_security_token($typename = '', $formname = 'form_security_to
 
 function check_form_security_std_err_msg()
 {
-	return t('The form security token was not correct. This probably happened because the form has been opened for too long (>3 hours) before submitting it.') . EOL;
+	return L10n::t("The form security token was not correct. This probably happened because the form has been opened for too long \x28>3 hours\x29 before submitting it.") . EOL;
 }
 
 function check_form_security_token_redirectOnErr($err_redirect, $typename = '', $formname = 'form_security_token')