From: Roland Haeder <roland@mxchange.org>
Date: Fri, 27 Mar 2015 22:16:34 +0000 (+0100)
Subject: Possible hack for tags from private dents in public profile or wrong scope (both...
X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=3346f2ebf403f7522577255d818664ef94bb4f2f;p=quix0rs-gnu-social.git
Possible hack for tags from private dents in public profile or wrong scope (both privacy leak).
Signed-off-by: Roland Haeder <roland@mxchange.org>
---
diff --git a/actions/publictagcloud.php b/actions/publictagcloud.php
index 6d0d4237e9..1f169cfc5f 100644
--- a/actions/publictagcloud.php
+++ b/actions/publictagcloud.php
@@ -110,6 +110,8 @@ class PublictagcloudAction extends Action
*/
$tags->selectAdd();
$tags->selectAdd('tag');
+ $tags->selectAdd('notice_id');
+ $tags->selectAdd('scope');
// Add the aggregated columns...
$tags->selectAdd('max(notice_id) as last_notice_id');
@@ -117,6 +119,7 @@ class PublictagcloudAction extends Action
$cutoff = sprintf("notice_tag.created > '%s'",
common_sql_date(time() - common_config('tag', 'cutoff')));
$tags->selectAdd($calc . ' as weight');
+ $tags->joinAdd(array('notice_id', 'notice:id'));
$tags->whereAdd($cutoff);
$tags->groupBy('tag');
$tags->orderBy('weight DESC');
@@ -132,6 +135,28 @@ class PublictagcloudAction extends Action
$tw = array();
$sum = 0;
while ($tags->fetch()) {
+ // Check scope:
+
+ // 1) Get notice object and set id
+ $notice = new Notice();
+ $notice->id = $tags->notice_id;
+ $notice->scope = $tags->scope;
+
+ // Is it private scope?
+ if ($notice->isPrivateScope()) {
+ // 2) Get current profile
+ $profile = Profile::current();
+
+ // Is the profile not set?
+ if (!$profile instanceof Profile) {
+ // Public viewer shall not see a tag from a private dent (privacy leak)
+ continue;
+ } elseif (!$notice->inScope($profile)) {
+ // Current profile is not in scope (not allowed to see) of notice
+ continue;
+ }
+ }
+
$tw[$tags->tag] = $tags->weight;
$sum += $tags->weight;
}