X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=src%2FUtil%2FSecurity.php;h=42333821602d7b123d7da520c175d21ceb0eacea;hb=a98957eeb29cfb142dfc4cd3e03c5bdfbc373466;hp=11059c0bcf34edb0df1e551dbebae8953765afa9;hpb=8821d33f73785884cfce83e7b23d3ef19cc1bc11;p=friendica.git diff --git a/src/Util/Security.php b/src/Util/Security.php index 11059c0bcf..4233382160 100644 --- a/src/Util/Security.php +++ b/src/Util/Security.php @@ -1,28 +1,42 @@ . + * */ namespace Friendica\Util; -use Friendica\BaseObject; use Friendica\Database\DBA; use Friendica\Model\Contact; use Friendica\Model\Group; -use Friendica\Core\L10n; -use Friendica\Model\PermissionSet; -use Friendica\Core\System; +use Friendica\Model\User; +use Friendica\Core\Session; /** * Secures that User is allow to do requests */ -class Security extends BaseObject +class Security { public static function canWriteToUserWall($owner) { static $verified = 0; - if (!local_user() && !remote_user()) { + if (!Session::isAuthenticated()) { return false; } @@ -35,7 +49,7 @@ class Security extends BaseObject return true; } - if (remote_user()) { + if (!empty(Session::getRemoteContactID($owner))) { // use remembered decision and avoid a DB lookup for each and every display item // DO NOT use this function if there are going to be multiple owners // We have a contact-id for an authenticated remote user, this block determines if the contact @@ -46,29 +60,19 @@ class Security extends BaseObject } elseif ($verified === 1) { return false; } else { - $cid = 0; - - if (!empty($_SESSION['remote'])) { - foreach ($_SESSION['remote'] as $visitor) { - if ($visitor['uid'] == $owner) { - $cid = $visitor['cid']; - break; - } - } - } - + $cid = Session::getRemoteContactID($owner); if (!$cid) { return false; } $r = q("SELECT `contact`.*, `user`.`page-flags` FROM `contact` INNER JOIN `user` on `user`.`uid` = `contact`.`uid` WHERE `contact`.`uid` = %d AND `contact`.`id` = %d AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0 - AND `user`.`blockwall` = 0 AND `readonly` = 0 AND ( `contact`.`rel` IN ( %d , %d ) OR `user`.`page-flags` = %d ) LIMIT 1", + AND `user`.`blockwall` = 0 AND `readonly` = 0 AND (`contact`.`rel` IN (%d , %d) OR `user`.`page-flags` = %d) LIMIT 1", intval($owner), intval($cid), intval(Contact::SHARING), intval(Contact::FRIEND), - intval(Contact::PAGE_COMMUNITY) + intval(User::PAGE_FLAGS_COMMUNITY) ); if (DBA::isResult($r)) { @@ -83,22 +87,32 @@ class Security extends BaseObject return false; } - /// @TODO $groups should be array - public static function getPermissionsSQLByUserId($owner_id, $remote_verified = false, $groups = null) + /** + * Create a permission string for an element based on the visitor + * + * @param integer $owner_id User ID of the owner of the element + * @param boolean $accessible Should the element be accessible anyway? + * @return string SQL permissions + */ + public static function getPermissionsSQLByUserId(int $owner_id, bool $accessible = false) { $local_user = local_user(); - $remote_user = remote_user(); + $remote_contact = Session::getRemoteContactID($owner_id); + $acc_sql = ''; + + if ($accessible) { + $acc_sql = ' OR `accessible`'; + } /* * Construct permissions * * default permissions - anonymous user */ - $sql = " AND allow_cid = '' - AND allow_gid = '' - AND deny_cid = '' - AND deny_gid = '' - "; + $sql = " AND (allow_cid = '' + AND allow_gid = '' + AND deny_cid = '' + AND deny_gid = ''" . $acc_sql . ") "; /* * Profile owner - everything is visible @@ -106,50 +120,29 @@ class Security extends BaseObject if ($local_user && $local_user == $owner_id) { $sql = ''; /* - * Authenticated visitor. Unless pre-verified, - * check that the contact belongs to this $owner_id - * and load the groups the visitor belongs to. - * If pre-verified, the caller is expected to have already - * done this and passed the groups into this function. + * Authenticated visitor. Load the groups the visitor belongs to. */ - } elseif ($remote_user) { - /* - * Authenticated visitor. Unless pre-verified, - * check that the contact belongs to this $owner_id - * and load the groups the visitor belongs to. - * If pre-verified, the caller is expected to have already - * done this and passed the groups into this function. - */ - - if (!$remote_verified) { - if (DBA::exists('contact', ['id' => $remote_user, 'uid' => $owner_id, 'blocked' => false])) { - $remote_verified = true; - $groups = Group::getIdsByContactId($remote_user); - } - } + } elseif ($remote_contact) { + $gs = '<<>>'; // should be impossible to match - if ($remote_verified) { - $gs = '<<>>'; // should be impossible to match + $groups = Group::getIdsByContactId($remote_contact); - if (is_array($groups)) { - foreach ($groups as $g) { - $gs .= '|<' . intval($g) . '>'; - } + if (is_array($groups)) { + foreach ($groups as $g) { + $gs .= '|<' . intval($g) . '>'; } - - $sql = sprintf( - " AND ( NOT (deny_cid REGEXP '<%d>' OR deny_gid REGEXP '%s') - AND ( allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) - ) - ", - intval($remote_user), - DBA::escape($gs), - intval($remote_user), - DBA::escape($gs) - ); } + + $sql = sprintf( + " AND (NOT (deny_cid REGEXP '<%d>' OR deny_gid REGEXP '%s') + AND (allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s' + OR (allow_cid = '' AND allow_gid = ''))" . $acc_sql . ") ", + intval($remote_contact), + DBA::escape($gs), + intval($remote_contact), + DBA::escape($gs) + ); } return $sql; } - }