X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=mod%2Fphotos.php;h=e40ae0d74a03fd5fff4cfbfd5ad97654deb0cc76;hb=4690d00141352db8ca96359cbbf65ce6eb4345c4;hp=f8059fc08e1aa46103bdcf3a76b756f0fb4ee390;hpb=8819c73ba1ae1cbf19d2c517a87d30104d1a5da1;p=friendica.git
diff --git a/mod/photos.php b/mod/photos.php
old mode 100644
new mode 100755
index f8059fc08e..e40ae0d74a
--- a/mod/photos.php
+++ b/mod/photos.php
@@ -3,6 +3,7 @@ require_once('include/Photo.php');
require_once('include/items.php');
require_once('include/acl_selectors.php');
require_once('include/bbcode.php');
+require_once('include/security.php');
function photos_init(&$a) {
@@ -23,39 +24,7 @@ function photos_init(&$a) {
$a->data['user'] = $r[0];
-
- // default permissions - anonymous user
-
- $sql_extra = " AND `allow_cid` = '' AND `allow_gid` = '' AND `deny_cid` = '' AND `deny_gid` = '' ";
-
- // Profile owner - everything is visible
-
- if(local_user() && (local_user() == $a->data['user']['uid'])) {
- $sql_extra = '';
- }
- elseif(remote_user()) {
-
- $groups = init_groups_visitor(remote_user());
-
- // authenticated visitor - here lie dragons
- $gs = '<<>>'; // should be impossible to match
- if(count($groups)) {
- foreach($groups as $g)
- $gs .= '|<' . intval($g) . '>';
- }
- $sql_extra = sprintf(
- " AND ( `allow_cid` = '' OR `allow_cid` REGEXP '<%d>' )
- AND ( `deny_cid` = '' OR NOT `deny_cid` REGEXP '<%d>' )
- AND ( `allow_gid` = '' OR `allow_gid` REGEXP '%s' )
- AND ( `deny_gid` = '' OR NOT `deny_gid` REGEXP '%s') ",
-
- intval(remote_user()),
- intval(remote_user()),
- dbesc($gs),
- dbesc($gs)
- );
- }
-
+ $sql_extra = permissions_sql($a->data['user']['uid']);
$albums = q("SELECT distinct(`album`) AS `album` FROM `photo` WHERE `uid` = %d $sql_extra ",
intval($a->data['user']['uid'])
@@ -64,20 +33,31 @@ function photos_init(&$a) {
if(count($albums)) {
$a->data['albums'] = $albums;
- $o .= '';
- $o .= '';
-
+ $o .= '';
+ $o .= '
' . $a->data['user']['username'] . '
';
+ $o .= '
';
+ $o .= '
';
- $albumselect .= ' ';
+
+ $albumselect .= ' ';
if(count($a->data['albums'])) {
foreach($a->data['albums'] as $album) {
if(($album['album'] === '') || ($album['album'] === 'Contact Photos') || ($album['album'] === t('Contact Photos')))
continue;
- $albumselect .= '' . $album['album'] . ' ';
+ $selected = (($selname === $album['album']) ? ' selected="selected" ' : '');
+ $albumselect .= '' . $album['album'] . ' ';
}
}
@@ -950,9 +909,10 @@ function photos_content(&$a) {
'$nickname' => $a->data['user']['nickname'],
'$newalbum' => t('New album name: '),
'$existalbumtext' => t('or existing album name: '),
- '$albumselect' => $albumselect,
+ '$nosharetext' => t('Do not show a status post for this upload'),
+ '$albumselect' => template_escape($albumselect),
'$permissions' => t('Permissions'),
- '$aclselect' => (($visitor) ? '' : populate_acl($a->user, $celeb)),
+ '$aclselect' => (($visitor) ? '' : template_escape(populate_acl($a->user, $celeb))),
'$uploader' => $ret['addon_text'],
'$default' => (($ret['default_upload']) ? $default_upload : ''),
'$uploadurl' => $ret['post_url']
@@ -967,7 +927,7 @@ function photos_content(&$a) {
$album = hex2bin($datum);
$r = q("SELECT `resource-id`, max(`scale`) AS `scale` FROM `photo` WHERE `uid` = %d AND `album` = '%s'
- $sql_extra GROUP BY `resource-id`",
+ AND `scale` <= 4 $sql_extra GROUP BY `resource-id`",
intval($owner_uid),
dbesc($album)
);
@@ -977,7 +937,7 @@ function photos_content(&$a) {
}
$r = q("SELECT `resource-id`, `id`, `filename`, max(`scale`) AS `scale`, `desc` FROM `photo` WHERE `uid` = %d AND `album` = '%s'
- $sql_extra GROUP BY `resource-id` ORDER BY `created` DESC LIMIT %d , %d",
+ AND `scale` <= 4 $sql_extra GROUP BY `resource-id` ORDER BY `created` DESC LIMIT %d , %d",
intval($owner_uid),
dbesc($album),
intval($a->pager['start']),
@@ -993,7 +953,7 @@ function photos_content(&$a) {
$o .= replace_macros($edit_tpl,array(
'$nametext' => t('New album name: '),
'$nickname' => $a->data['user']['nickname'],
- '$album' => $album,
+ '$album' => template_escape($album),
'$hexalbum' => bin2hex($album),
'$submit' => t('Submit'),
'$dropsubmit' => t('Delete Album')
@@ -1010,6 +970,11 @@ function photos_content(&$a) {
}
}
}
+
+ if($can_post) {
+ $o .= '';
+ }
+
$tpl = get_markup_template('photo_album.tpl');
if(count($r))
foreach($r as $rr) {
@@ -1018,8 +983,8 @@ function photos_content(&$a) {
'$photolink' => $a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/image/' . $rr['resource-id'],
'$phototitle' => t('View Photo'),
'$imgsrc' => $a->get_baseurl() . '/photo/' . $rr['resource-id'] . '-' . $rr['scale'] . '.jpg',
- '$imgalt' => $rr['filename'],
- '$desc'=> $rr['desc']
+ '$imgalt' => template_escape($rr['filename']),
+ '$desc'=> template_escape($rr['desc'])
));
}
@@ -1045,7 +1010,15 @@ function photos_content(&$a) {
);
if(! count($ph)) {
- notice( t('Photo not available') . EOL );
+ $ph = q("SELECT `id` FROM `photo` WHERE `uid` = %d AND `resource-id` = '%s'
+ LIMIT 1",
+ intval($owner_uid),
+ dbesc($datum)
+ );
+ if(count($ph))
+ notice( t('Permission denied. Access to this item may be restricted.'));
+ else
+ notice( t('Photo not available') . EOL );
return;
}
@@ -1070,8 +1043,9 @@ function photos_content(&$a) {
break;
}
}
- $prevlink = $a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/image/' . $prvnxt[$prv]['resource-id'] ;
- $nextlink = $a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/image/' . $prvnxt[$nxt]['resource-id'] ;
+ $edit_suffix = ((($cmd === 'edit') && ($can_post)) ? '/edit' : '');
+ $prevlink = $a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/image/' . $prvnxt[$prv]['resource-id'] . $edit_suffix;
+ $nextlink = $a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/image/' . $prvnxt[$nxt]['resource-id'] . $edit_suffix;
}
@@ -1094,7 +1068,7 @@ function photos_content(&$a) {
if($can_post && ($ph[0]['uid'] == $owner_uid)) {
$tools = array(
- 'edit' => array($a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/image/' . $datum . '/edit', t('Edit photo')),
+ 'edit' => array($a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/image/' . $datum . (($cmd === 'edit') ? '' : '/edit'), (($cmd === 'edit') ? t('View photo') : t('Edit photo'))),
'profile'=>array($a->get_baseurl() . '/profile_photo/use/'.$ph[0]['resource-id'], t('Use as profile photo')),
);
@@ -1129,7 +1103,7 @@ function photos_content(&$a) {
$link_item = $linked_items[0];
$r = q("SELECT COUNT(*) AS `total`
FROM `item` LEFT JOIN `contact` ON `contact`.`id` = `item`.`contact-id`
- WHERE `parent-uri` = '%s' AND `uri` != '%s' AND `item`.`deleted` = 0
+ WHERE `parent-uri` = '%s' AND `uri` != '%s' AND `item`.`deleted` = 0 and `item`.`moderated` = 0
AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0
AND `item`.`uid` = %d
$sql_extra ",
@@ -1148,7 +1122,7 @@ function photos_content(&$a) {
`contact`.`rel`, `contact`.`thumb`, `contact`.`self`,
`contact`.`id` AS `cid`, `contact`.`uid` AS `contact-uid`
FROM `item` LEFT JOIN `contact` ON `contact`.`id` = `item`.`contact-id`
- WHERE `parent-uri` = '%s' AND `uri` != '%s' AND `item`.`deleted` = 0
+ WHERE `parent-uri` = '%s' AND `uri` != '%s' AND `item`.`deleted` = 0 and `item`.`moderated` = 0
AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0
AND `item`.`uid` = %d
$sql_extra
@@ -1170,6 +1144,7 @@ function photos_content(&$a) {
}
$tags=Null;
+
if(count($linked_items) && strlen($link_item['tag'])) {
$arr = explode(',',$link_item['tag']);
// parse tags and add links
@@ -1192,16 +1167,16 @@ function photos_content(&$a) {
$edit_tpl = get_markup_template('photo_edit.tpl');
$edit = replace_macros($edit_tpl, array(
'$id' => $ph[0]['id'],
- '$album' => $ph[0]['album'],
+ '$album' => template_escape($ph[0]['album']),
'$newalbum' => t('New album name'),
'$nickname' => $a->data['user']['nickname'],
'$resource_id' => $ph[0]['resource-id'],
'$capt_label' => t('Caption'),
- '$caption' => $ph[0]['desc'],
+ '$caption' => template_escape($ph[0]['desc']),
'$tag_label' => t('Add a Tag'),
'$tags' => $link_item['tag'],
'$permissions' => t('Permissions'),
- '$aclselect' => populate_acl($ph[0]),
+ '$aclselect' => template_escape(populate_acl($ph[0])),
'$help_tags' => t('Example: @bob, @Barbara_Jensen, @jim@example.com, #California, #camping'),
'$item_id' => ((count($linked_items)) ? $link_item['id'] : 0),
'$submit' => t('Submit'),
@@ -1245,6 +1220,7 @@ function photos_content(&$a) {
'$myphoto' => $contact['thumb'],
'$comment' => t('Comment'),
'$submit' => t('Submit'),
+ '$preview' => t('Preview'),
'$ww' => ''
));
}
@@ -1347,11 +1323,11 @@ function photos_content(&$a) {
$comments .= replace_macros($template,array(
'$id' => $item['item_id'],
'$profile_url' => $profile_link,
- '$name' => $profile_name,
+ '$name' => template_escape($profile_name),
'$thumb' => $profile_avatar,
'$sparkle' => $sparkle,
- '$title' => $item['title'],
- '$body' => bbcode($item['body']),
+ '$title' => template_escape($item['title']),
+ '$body' => template_escape(bbcode($item['body'])),
'$ago' => relative_date($item['created']),
'$indent' => (($item['parent'] != $item['item_id']) ? ' comment' : ''),
'$drop' => $drop,
@@ -1366,18 +1342,18 @@ function photos_content(&$a) {
$photo_tpl = get_markup_template('photo_view.tpl');
$o .= replace_macros($photo_tpl, array(
'$id' => $ph[0]['id'],
- '$album' => array($album_link,$ph[0]['album']),
+ '$album' => array($album_link,template_escape($ph[0]['album'])),
'$tools' => $tools,
'$lock' => $lock,
'$photo' => $photo,
'$prevlink' => $prevlink,
'$nextlink' => $nextlink,
'$desc' => $ph[0]['desc'],
- '$tags' => $tags,
+ '$tags' => template_escape($tags),
'$edit' => $edit,
'$likebuttons' => $likebuttons,
- '$like' => $like,
- '$dislike' => $dislike,
+ '$like' => template_escape($like),
+ '$dislike' => template_escape($dislike),
'$comments' => $comments,
'$paginate' => $paginate,
));
@@ -1409,30 +1385,36 @@ function photos_content(&$a) {
intval($a->pager['itemspage'])
);
- $o .= '' . t('Recent Photos') . ' ';
- if($can_post) {
- $o .= '';
- }
- $tpl = get_markup_template('photo_top.tpl');
+ $photos = array();
if(count($r)) {
foreach($r as $rr) {
- $o .= replace_macros($tpl,array(
- '$id' => $rr['id'],
- '$photolink' => $a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/image/' . $rr['resource-id'],
- '$phototitle' => t('View Photo'),
- '$imgsrc' => $a->get_baseurl() . '/photo/' . $rr['resource-id'] . '-' . ((($rr['scale']) == 6) ? 4 : $rr['scale']) . '.jpg',
- '$albumlink' => $a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/album/' . bin2hex($rr['album']),
- '$albumname' => $rr['album'],
- '$albumalt' => t('View Album'),
- '$imgalt' => $rr['filename']
- ));
-
+ $photos[] = array(
+ 'id' => $rr['id'],
+ 'link' => $a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/image/' . $rr['resource-id'],
+ 'title' => t('View Photo'),
+ 'src' => $a->get_baseurl() . '/photo/' . $rr['resource-id'] . '-' . ((($rr['scale']) == 6) ? 4 : $rr['scale']) . '.jpg',
+ 'alt' => template_escape($rr['filename']),
+ 'album' => array(
+ 'link' => $a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/album/' . bin2hex($rr['album']),
+ 'name' => template_escape($rr['album']),
+ 'alt' => t('View Album'),
+ ),
+
+ );
}
- $o .= '
';
}
+
+ $tpl = get_markup_template('photos_recent.tpl');
+ $o .= replace_macros($tpl,array(
+ '$title' => t('Recent Photos'),
+ '$can_post' => $can_post,
+ '$upload' => array(t('Upload New Photos'), $a->get_baseurl().'/photos/'.$a->data['user']['nickname'].'/upload'),
+ '$photos' => $photos,
+ ));
+
+
$o .= paginate($a);
return $o;
}
![' . $a->data['user']['username'] . '](' . $a->get_baseurl() . '/photo/profile/' . $a->data['user']['uid'] . '.jpg)