X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=src%2FUtil%2FSecurity.php;h=043c59d84f20a0fd1ed1023dd48dcd1ff9829017;hb=83b00ef3081618dca2a17537289f55a485f70b00;hp=1c934d6fe617c741d9d6b47316570ea2ebe7b74b;hpb=b9ab6137776f39db3d01481cb6a7d5f6a1634be5;p=friendica.git diff --git a/src/Util/Security.php b/src/Util/Security.php index 1c934d6fe6..043c59d84f 100644 --- a/src/Util/Security.php +++ b/src/Util/Security.php @@ -10,6 +10,7 @@ use Friendica\Database\DBA; use Friendica\Model\Contact; use Friendica\Model\Group; use Friendica\Model\User; +use Friendica\Core\Session; /** * Secures that User is allow to do requests @@ -20,7 +21,7 @@ class Security extends BaseObject { static $verified = 0; - if (!local_user() && !remote_user()) { + if (!Session::isAuthenticated()) { return false; } @@ -33,7 +34,7 @@ class Security extends BaseObject return true; } - if (remote_user()) { + if (!empty(Session::getRemoteContactID($owner))) { // use remembered decision and avoid a DB lookup for each and every display item // DO NOT use this function if there are going to be multiple owners // We have a contact-id for an authenticated remote user, this block determines if the contact @@ -44,24 +45,14 @@ class Security extends BaseObject } elseif ($verified === 1) { return false; } else { - $cid = 0; - - if (!empty($_SESSION['remote'])) { - foreach ($_SESSION['remote'] as $visitor) { - if ($visitor['uid'] == $owner) { - $cid = $visitor['cid']; - break; - } - } - } - + $cid = Session::getRemoteContactID($owner); if (!$cid) { return false; } $r = q("SELECT `contact`.*, `user`.`page-flags` FROM `contact` INNER JOIN `user` on `user`.`uid` = `contact`.`uid` WHERE `contact`.`uid` = %d AND `contact`.`id` = %d AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0 - AND `user`.`blockwall` = 0 AND `readonly` = 0 AND ( `contact`.`rel` IN ( %d , %d ) OR `user`.`page-flags` = %d ) LIMIT 1", + AND `user`.`blockwall` = 0 AND `readonly` = 0 AND (`contact`.`rel` IN (%d , %d) OR `user`.`page-flags` = %d) LIMIT 1", intval($owner), intval($cid), intval(Contact::SHARING), @@ -81,11 +72,10 @@ class Security extends BaseObject return false; } - /// @TODO $groups should be array - public static function getPermissionsSQLByUserId($owner_id, $remote_verified = false, $groups = null) + public static function getPermissionsSQLByUserId($owner_id) { $local_user = local_user(); - $remote_user = remote_user(); + $remote_contact = Session::getRemoteContactID($owner_id); /* * Construct permissions @@ -93,10 +83,9 @@ class Security extends BaseObject * default permissions - anonymous user */ $sql = " AND allow_cid = '' - AND allow_gid = '' - AND deny_cid = '' - AND deny_gid = '' - "; + AND allow_gid = '' + AND deny_cid = '' + AND deny_gid = '' "; /* * Profile owner - everything is visible @@ -104,59 +93,28 @@ class Security extends BaseObject if ($local_user && $local_user == $owner_id) { $sql = ''; /* - * Authenticated visitor. Unless pre-verified, - * check that the contact belongs to this $owner_id - * and load the groups the visitor belongs to. - * If pre-verified, the caller is expected to have already - * done this and passed the groups into this function. + * Authenticated visitor. Load the groups the visitor belongs to. */ - } elseif ($remote_user) { - /* - * Authenticated visitor. Unless pre-verified, - * check that the contact belongs to this $owner_id - * and load the groups the visitor belongs to. - * If pre-verified, the caller is expected to have already - * done this and passed the groups into this function. - */ - - if (!$remote_verified) { - $cid = 0; - - foreach (\Friendica\Core\Session::get('remote', []) as $visitor) { - if ($visitor['uid'] == $owner_id) { - $cid = $visitor['cid']; - break; - } - } - - if ($cid && DBA::exists('contact', ['id' => $cid, 'uid' => $owner_id, 'blocked' => false])) { - $remote_verified = true; - $groups = Group::getIdsByContactId($cid); - } - } + } elseif ($remote_contact) { + $gs = '<<>>'; // should be impossible to match - if ($remote_verified) { - $gs = '<<>>'; // should be impossible to match + $groups = Group::getIdsByContactId($remote_contact); - if (is_array($groups)) { - foreach ($groups as $g) { - $gs .= '|<' . intval($g) . '>'; - } + if (is_array($groups)) { + foreach ($groups as $g) { + $gs .= '|<' . intval($g) . '>'; } - - $sql = sprintf( - " AND ( NOT (deny_cid REGEXP '<%d>' OR deny_gid REGEXP '%s') - AND ( allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) - ) - ", - intval($cid), - DBA::escape($gs), - intval($cid), - DBA::escape($gs) - ); } + + $sql = sprintf( + " AND (NOT (deny_cid REGEXP '<%d>' OR deny_gid REGEXP '%s') + AND (allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s' OR (allow_cid = '' AND allow_gid = ''))) ", + intval($remote_contact), + DBA::escape($gs), + intval($remote_contact), + DBA::escape($gs) + ); } return $sql; } - }