From af85e498ceb768beba04df743036abbdf9ef1f2b Mon Sep 17 00:00:00 2001 From: Dean Townsley Date: Sat, 8 Jun 2019 10:11:02 -0500 Subject: [PATCH] expand permission check to remote array This check was preventing multiple private images from different users on the same server from loading on the same page. It was only checking for permission for the single id returned by the remote_user() function rather than the multiple possible autheniticated id's stored in the remote arry session variable. --- src/Util/Security.php | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/src/Util/Security.php b/src/Util/Security.php index d1e668e0d8..0680bc08c1 100644 --- a/src/Util/Security.php +++ b/src/Util/Security.php @@ -120,9 +120,21 @@ class Security extends BaseObject */ if (!$remote_verified) { - if (DBA::exists('contact', ['id' => $remote_user, 'uid' => $owner_id, 'blocked' => false])) { + $cid = 0; + + if (!empty($_SESSION['remote'])) { + foreach ($_SESSION['remote'] as $visitor) { + Logger::log("this remote array entry is".$visitor); + if ($visitor['uid'] == $owner_id) { + $cid = $visitor['cid']; + break; + } + } + } + + if ($cid && DBA::exists('contact', ['id' => $cid, 'uid' => $owner_id, 'blocked' => false])) { $remote_verified = true; - $groups = Group::getIdsByContactId($remote_user); + $groups = Group::getIdsByContactId($cid); } } @@ -140,9 +152,9 @@ class Security extends BaseObject AND ( allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) ) ", - intval($remote_user), + intval($cid), DBA::escape($gs), - intval($remote_user), + intval($cid), DBA::escape($gs) ); } -- 2.39.5