cache result of (expensive) security check for visitor rights

begin tightening x-profile security

diff --git a/include/security.php b/include/security.php
index f376039167d5ff7672b2baaf0b98fb94c9e0b981..5e79e1edd5f0017424777df1206ce2d3eee96617 100644 (file)
--- a/include/security.php
+++ b/include/security.php
@@ -2,15 +2,27 @@
 
 function can_write_wall(&$a,$owner) {
 
-        if((! (local_user())) && (! (remote_user())))
-                return false;
-               $uid = local_user();
+       static $verified = 0;
 
-        if(($uid) && ($uid == $owner)) {
-                return true;
-               }
+       if((! (local_user())) && (! (remote_user())))
+               return false;
+
+       $uid = local_user();
+
+       if(($uid) && ($uid == $owner)) {
+               return true;
+       }
+
+       if(remote_user()) {
 
-               if(remote_user()) {
+               // user remembered decision and avoid a DB lookup for each and every display item
+               // DO NOT use this function if there are going to be multiple owners
+
+               if($verified === 2)
+                       return true;
+               elseif($verified === 1)
+                       return false;
+               else {
                        $r = q("SELECT `contact`.*, `user`.`page-flags` FROM `contact` LEFT JOIN `user` on `user`.`uid` = `contact`.`uid` 
                                WHERE `contact`.`uid` = %d AND `contact`.`id` = %d AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0 
                                AND `readonly` = 0  AND ( `contact`.`rel` IN ( %d , %d ) OR `user`.`page-flags` = %d ) LIMIT 1",
@@ -20,11 +32,15 @@ function can_write_wall(&$a,$owner) {
                                intval(REL_BUD),
                                intval(PAGE_COMMUNITY)
                        );
+                       if(count($r)) {
+                               $verified = 2;
+                               return true;
+                       }
+                       else {
+                               $verified = 1;
+                       }
                }
-               if(count($r))
-                       return true;
-
-               
-        return false;
+       }
 
+       return false;
 }

diff --git a/mod/dfrn_poll.php b/mod/dfrn_poll.php
index 35b9861a52af4d2653fa30e8f8e4640f03a21a5a..de3d00aea04a28d6e23f2704bf53ea66bbb1fd35 100644 (file)
--- a/mod/dfrn_poll.php
+++ b/mod/dfrn_poll.php
@@ -10,6 +10,7 @@ function dfrn_poll_init(&$a) {
        $type            = ((x($_GET,'type'))            ? $_GET['type']                 : '');
        $last_update     = ((x($_GET,'last_update'))     ? $_GET['last_update']          : '');
        $destination_url = ((x($_GET,'destination_url')) ? $_GET['destination_url']      : '');
+       $sec             = ((x($_GET,'sec'))             ? intval($_GET['sec'])          : 0);
        $dfrn_version    = ((x($_GET,'dfrn_version'))    ? (float) $_GET['dfrn_version'] : 0);
 
 
@@ -212,18 +213,11 @@ function dfrn_poll_post(&$a) {
 
 function dfrn_poll_content(&$a) {
 
-
-       $dfrn_id = '';
-       $type = 'data';
-
-       if(x($_GET,'dfrn_id'))
-               $dfrn_id = $_GET['dfrn_id'];
-       if(x($_GET,'type'))
-               $type = $_GET['type'];
-       if(x($_GET,'last_update'))
-               $last_update = $_GET['last_update'];
-
-       $dfrn_version = (float) $_GET['dfrn_version'];
+       $dfrn_id      = ((x($_GET,'dfrn_id'))      ? $_GET['dfrn_id']              : '');
+       $type         = ((x($_GET,'type'))         ? $_GET['type']                 : 'data');
+       $last_update  = ((x($_GET,'last_update'))  ? $_GET['last_update']          : '');
+       $dfrn_version = ((x($_GET,'dfrn_version')) ? (float) $_GET['dfrn_version'] : 2.0);
+       $sec          = ((x($_GET,'sec'))          ? intval($_GET['sec'])          : 0);
 
        $direction = (-1);
        if(strpos($dfrn_id,':') == 1) {
@@ -249,7 +243,6 @@ function dfrn_poll_content(&$a) {
                        dbesc($last_update)
                );
 
-
                $sql_extra = '';
                switch($direction) {
                        case (-1):
@@ -269,9 +262,6 @@ function dfrn_poll_content(&$a) {
                                break; // NOTREACHED
                }
 
-
-
-
                $r = q("SELECT * FROM `contact` WHERE `blocked` = 0 AND `pending` = 0 $sql_extra LIMIT 1");
 
                if(count($r)) {
@@ -296,10 +286,11 @@ function dfrn_poll_content(&$a) {
                else {
                        $status = 1;
                }
+
                header("Content-type: text/xml");
                echo '<?xml version="1.0" encoding="UTF-8"?>' . "\r\n"
                        . '<dfrn_poll>' . "\r\n"
-                       . "\t" . '<status>' .$status . '</status>' . "\r\n"
+                       . "\t" . '<status>' . $status . '</status>' . "\r\n"
                        . "\t" . '<dfrn_version>' . DFRN_PROTOCOL_VERSION . '</dfrn_version>' . "\r\n"
                        . "\t" . '<dfrn_id>' . $encrypted_id . '</dfrn_id>' . "\r\n"
                        . "\t" . '<challenge>' . $challenge . '</challenge>' . "\r\n"

diff --git a/mod/redir.php b/mod/redir.php
index 5427d8c786e93f5be407bca3b099f4f8fc071314..f95c52c96e50a09e9cd9f70184b28b21ba569ac6 100644 (file)
--- a/mod/redir.php
+++ b/mod/redir.php
@@ -27,6 +27,6 @@ function redir_init(&$a) {
                dbesc($dfrn_id),
                intval(time() + 45));
        goaway ($r[0]['poll'] . '?dfrn_id=' . $dfrn_id 
-               . '&dfrn_version=' . DFRN_PROTOCOL_VERSION . '&type=profile');
+               . '&dfrn_version=' . DFRN_PROTOCOL_VERSION . '&type=profile&sec=1');
        
 }