X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=src%2FUtil%2FSecurity.php;h=1c934d6fe617c741d9d6b47316570ea2ebe7b74b;hb=77610179156eeadcb22ee3735574a3b07935439a;hp=1eb0c3f4902d894985c23b74cfd12901da1eddf3;hpb=05be2db72516ac17dc6b9cccaa6fee458501df53;p=friendica.git diff --git a/src/Util/Security.php b/src/Util/Security.php index 1eb0c3f490..1c934d6fe6 100644 --- a/src/Util/Security.php +++ b/src/Util/Security.php @@ -9,16 +9,14 @@ use Friendica\BaseObject; use Friendica\Database\DBA; use Friendica\Model\Contact; use Friendica\Model\Group; -use Friendica\Core\L10n; -use Friendica\Model\PermissionSet; -use Friendica\Core\System; +use Friendica\Model\User; /** * Secures that User is allow to do requests */ class Security extends BaseObject { - public static function can_write_wall($owner) + public static function canWriteToUserWall($owner) { static $verified = 0; @@ -68,7 +66,7 @@ class Security extends BaseObject intval($cid), intval(Contact::SHARING), intval(Contact::FRIEND), - intval(Contact::PAGE_COMMUNITY) + intval(User::PAGE_FLAGS_COMMUNITY) ); if (DBA::isResult($r)) { @@ -84,12 +82,12 @@ class Security extends BaseObject } /// @TODO $groups should be array - public static function permissions_sql($owner_id, $remote_verified = false, $groups = null) + public static function getPermissionsSQLByUserId($owner_id, $remote_verified = false, $groups = null) { $local_user = local_user(); $remote_user = remote_user(); - /** + /* * Construct permissions * * default permissions - anonymous user @@ -100,12 +98,12 @@ class Security extends BaseObject AND deny_gid = '' "; - /** + /* * Profile owner - everything is visible */ if ($local_user && $local_user == $owner_id) { $sql = ''; - /** + /* * Authenticated visitor. Unless pre-verified, * check that the contact belongs to this $owner_id * and load the groups the visitor belongs to. @@ -122,9 +120,18 @@ class Security extends BaseObject */ if (!$remote_verified) { - if (DBA::exists('contact', ['id' => $remote_user, 'uid' => $owner_id, 'blocked' => false])) { + $cid = 0; + + foreach (\Friendica\Core\Session::get('remote', []) as $visitor) { + if ($visitor['uid'] == $owner_id) { + $cid = $visitor['cid']; + break; + } + } + + if ($cid && DBA::exists('contact', ['id' => $cid, 'uid' => $owner_id, 'blocked' => false])) { $remote_verified = true; - $groups = Group::getIdsByContactId($remote_user); + $groups = Group::getIdsByContactId($cid); } } @@ -142,9 +149,9 @@ class Security extends BaseObject AND ( allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) ) ", - intval($remote_user), + intval($cid), DBA::escape($gs), - intval($remote_user), + intval($cid), DBA::escape($gs) ); } @@ -152,122 +159,4 @@ class Security extends BaseObject return $sql; } - public static function item_permissions_sql($owner_id, $remote_verified = false, $groups = null) - { - $local_user = local_user(); - $remote_user = remote_user(); - - /* - * Construct permissions - * - * default permissions - anonymous user - */ - $sql = " AND NOT `item`.`private`"; - - // Profile owner - everything is visible - if ($local_user && ($local_user == $owner_id)) { - $sql = ''; - } elseif ($remote_user) { - /* - * Authenticated visitor. Unless pre-verified, - * check that the contact belongs to this $owner_id - * and load the groups the visitor belongs to. - * If pre-verified, the caller is expected to have already - * done this and passed the groups into this function. - */ - $set = PermissionSet::get($owner_id, $remote_user, $groups); - - if (!empty($set)) { - $sql_set = " OR (`item`.`private` IN (1,2) AND `item`.`wall` AND `item`.`psid` IN (" . implode(',', $set) . "))"; - } else { - $sql_set = ''; - } - - $sql = " AND (NOT `item`.`private`" . $sql_set . ")"; - } - - return $sql; - } - - /* - * Functions used to protect against Cross-Site Request Forgery - * The security token has to base on at least one value that an attacker can't know - here it's the session ID and the private key. - * In this implementation, a security token is reusable (if the user submits a form, goes back and resubmits the form, maybe with small changes; - * or if the security token is used for ajax-calls that happen several times), but only valid for a certain amout of time (3hours). - * The "typename" seperates the security tokens of different types of forms. This could be relevant in the following case: - * A security token is used to protekt a link from CSRF (e.g. the "delete this profile"-link). - * If the new page contains by any chance external elements, then the used security token is exposed by the referrer. - * Actually, important actions should not be triggered by Links / GET-Requests at all, but somethimes they still are, - * so this mechanism brings in some damage control (the attacker would be able to forge a request to a form of this type, but not to forms of other types). - */ - public static function get_form_security_token($typename = '') - { - $a = get_app(); - - $timestamp = time(); - $sec_hash = hash('whirlpool', $a->user['guid'] . $a->user['prvkey'] . session_id() . $timestamp . $typename); - - return $timestamp . '.' . $sec_hash; - } - - public static function check_form_security_token($typename = '', $formname = 'form_security_token') - { - $hash = null; - - if (!empty($_REQUEST[$formname])) { - /// @TODO Careful, not secured! - $hash = $_REQUEST[$formname]; - } - - if (!empty($_SERVER['HTTP_X_CSRF_TOKEN'])) { - /// @TODO Careful, not secured! - $hash = $_SERVER['HTTP_X_CSRF_TOKEN']; - } - - if (empty($hash)) { - return false; - } - - $max_livetime = 10800; // 3 hours - - $a = get_app(); - - $x = explode('.', $hash); - if (time() > (IntVal($x[0]) + $max_livetime)) { - return false; - } - - $sec_hash = hash('whirlpool', $a->user['guid'] . $a->user['prvkey'] . session_id() . $x[0] . $typename); - - return ($sec_hash == $x[1]); - } - - private static function check_form_security_std_err_msg() - { - return L10n::t("The form security token was not correct. This probably happened because the form has been opened for too long \x28>3 hours\x29 before submitting it.") . EOL; - } - - public static function check_form_security_token_redirectOnErr($err_redirect, $typename = '', $formname = 'form_security_token') - { - if (!check_form_security_token($typename, $formname)) { - $a = get_app(); - logger('check_form_security_token failed: user ' . $a->user['guid'] . ' - form element ' . $typename); - logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA); - notice(check_form_security_std_err_msg()); - goaway(System::baseUrl() . $err_redirect); - } - } - - public static function check_form_security_token_ForbiddenOnErr($typename = '', $formname = 'form_security_token') - { - if (!check_form_security_token($typename, $formname)) { - $a = get_app(); - logger('check_form_security_token failed: user ' . $a->user['guid'] . ' - form element ' . $typename); - logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA); - header('HTTP/1.1 403 Forbidden'); - killme(); - } - } } - -?> \ No newline at end of file