friendica/friendica
6
0
Fork 1
mirror of https://github.com/friendica/friendica synced 2024-05-13 14:49:39 +02:00
Code Issues Packages Projects Releases 1 Wiki Activity

Merge pull request #7678 from annando/remote-rework

Browse source 
Reworked the remote authentication
This commit is contained in:
Hypolite Petovan 2019-09-30 09:18:43 -04:00 committed by GitHub
parent 4d749efcee 6c1d29cf2b
commit 2333526b8a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
38 changed files with 289 additions and 590 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
boot.php
View file

@ -23,6 +23,7 @@ use Friendica\Core\Config;
use Friendica\Core\PConfig;
use Friendica\Core\Protocol;
use Friendica\Core\System;
use Friendica\Core\Session;
use Friendica\Database\DBA;
use Friendica\Model\Contact;
use Friendica\Model\Term;
@ -413,28 +414,13 @@ function public_contact()
*
* @return int|bool visitor_id or false
*/
function remote_user($uid = null)
function remote_user()
{
// You cannot be both local and remote.
// Unncommented by rabuzarus because remote authentication to local
// profiles wasn't possible anymore (2018-04-12).
// if (local_user()) {
// return false;
// }
if (empty($_SESSION['authenticated'])) {
return false;
}
if (!is_null($uid) && !empty($_SESSION['remote'])) {
/// @todo replace it with this:
// if (!empty($_SESSION['remote'][$uid])) ...
foreach ($_SESSION['remote'] as $visitor) {
if ($visitor['uid'] == $uid) {
return $visitor['cid'];
}
}
} elseif (is_null($uid) && !empty($_SESSION['visitor_id'])) {
if (!empty($_SESSION['visitor_id'])) {
return intval($_SESSION['visitor_id']);
}

2
include/conversation.php
View file

@ -365,7 +365,7 @@ function localize_item(&$item)
'network' => $item['author-network'], 'url' => $item['author-link']];
// Only create a redirection to a magic link when logged in
if (!empty($item['plink']) && (local_user() || remote_user())) {
if (!empty($item['plink']) && Session::isAuthenticated()) {
$item['plink'] = Contact::magicLinkByContact($author, $item['plink']);
}
}

13
include/items.php
View file

@ -13,6 +13,7 @@ use Friendica\Core\PConfig;
use Friendica\Core\Protocol;
use Friendica\Core\Renderer;
use Friendica\Core\System;
use Friendica\Core\Session;
use Friendica\Database\DBA;
use Friendica\Model\Item;
use Friendica\Protocol\DFRN;
@ -326,7 +327,7 @@ function drop_items(array $items)
{
$uid = 0;
if (!local_user() && !remote_user()) {
if (!Session::isAuthenticated()) {
return;
}
@ -362,14 +363,8 @@ function drop_item($id, $return = '')
$contact_id = 0;
// check if logged in user is either the author or owner of this item
if (!empty($_SESSION['remote'])) {
foreach ($_SESSION['remote'] as $visitor) {
if ($visitor['uid'] == $item['uid'] && $visitor['cid'] == $item['contact-id']) {
$contact_id = $visitor['cid'];
break;
}
}
if (Session::getRemoteContactID($item['uid']) == $item['contact-id']) {
$contact_id = $item['contact-id'];
}
if ((local_user() == $item['uid']) || $contact_id) {

20
mod/cal.php
View file

@ -14,6 +14,7 @@ use Friendica\Core\Config;
use Friendica\Core\L10n;
use Friendica\Core\Renderer;
use Friendica\Core\System;
use Friendica\Core\Session;
use Friendica\Database\DBA;
use Friendica\Model\Contact;
use Friendica\Model\Event;
@ -26,11 +27,7 @@ use Friendica\Util\Temporal;
function cal_init(App $a)
{
if ($a->argc > 1) {
DFRN::autoRedir($a, $a->argv[1]);
}
if (Config::get('system', 'block_public') && !local_user() && !remote_user()) {
if (Config::get('system', 'block_public') && !Session::isAuthenticated()) {
throw new \Friendica\Network\HTTPException\ForbiddenException(L10n::t('Access denied.'));
}
@ -113,18 +110,11 @@ function cal_content(App $a)
$owner_uid = intval($a->data['user']['uid']);
$nick = $a->data['user']['nickname'];
if (!empty($_SESSION['remote']) && is_array($_SESSION['remote'])) {
foreach ($_SESSION['remote'] as $v) {
if ($v['uid'] == $a->profile['profile_uid']) {
$contact_id = $v['cid'];
break;
}
}
if (!empty(Session::getRemoteContactID($a->profile['profile_uid']))) {
$contact_id = Session::getRemoteContactID($a->profile['profile_uid']);
}
$groups = [];
if ($contact_id) {
$groups = Group::getIdsByContactId($contact_id);
$r = q("SELECT * FROM `contact` WHERE `id` = %d AND `uid` = %d LIMIT 1",
intval($contact_id),
intval($a->profile['profile_uid'])
@ -142,7 +132,7 @@ function cal_content(App $a)
}
// get the permissions
$sql_perms = Item::getPermissionsSQLByUserId($owner_uid, $remote_contact, $groups);
$sql_perms = Item::getPermissionsSQLByUserId($owner_uid);
// we only want to have the events of the profile owner
$sql_extra = " AND `event`.`cid` = 0 " . $sql_perms;

2
mod/community.php
View file

@ -29,7 +29,7 @@ function community_content(App $a, $update = 0)
{
$o = '';
if (Config::get('system', 'block_public') && !local_user() && !remote_user()) {
if (Config::get('system', 'block_public') && !Session::isAuthenticated()) {
notice(L10n::t('Public access denied.') . EOL);
return;
}

20
mod/dfrn_poll.php
View file

@ -9,6 +9,7 @@ use Friendica\Core\Config;
use Friendica\Core\L10n;
use Friendica\Core\Logger;
use Friendica\Core\System;
use Friendica\Core\Session;
use Friendica\Database\DBA;
use Friendica\Module\Login;
use Friendica\Protocol\DFRN;
@ -49,7 +50,7 @@ function dfrn_poll_init(App $a)
$hidewall = false;
if (($dfrn_id === '') && empty($_POST['dfrn_id'])) {
if (Config::get('system', 'block_public') && !local_user() && !remote_user()) {
if (Config::get('system', 'block_public') && !Session::isAuthenticated()) {
throw new \Friendica\Network\HTTPException\ForbiddenException();
}
@ -110,17 +111,14 @@ function dfrn_poll_init(App $a)
if ((int)$xml->status === 1) {
$_SESSION['authenticated'] = 1;
if (empty($_SESSION['remote'])) {
$_SESSION['remote'] = [];
}
$_SESSION['remote'][$r[0]['uid']] = ['cid' => $r[0]['id'], 'uid' => $r[0]['uid']];
$_SESSION['visitor_id'] = $r[0]['id'];
$_SESSION['visitor_home'] = $r[0]['url'];
$_SESSION['visitor_handle'] = $r[0]['addr'];
$_SESSION['visitor_visiting'] = $r[0]['uid'];
$_SESSION['my_url'] = $r[0]['url'];
Session::setVisitorsContacts();
if (!$quiet) {
info(L10n::t('%1$s welcomes %2$s', $r[0]['username'], $r[0]['name']) . EOL);
}
@ -517,15 +515,13 @@ function dfrn_poll_content(App $a)
if (((int) $xml->status == 0) && ($xml->challenge == $hash) && ($xml->sec == $sec)) {
$_SESSION['authenticated'] = 1;
if (empty($_SESSION['remote'])) {
$_SESSION['remote'] = [];
}
$_SESSION['remote'][$r[0]['uid']] = ['cid' => $r[0]['id'], 'uid' => $r[0]['uid']];
$_SESSION['visitor_id'] = $r[0]['id'];
$_SESSION['visitor_home'] = $r[0]['url'];
$_SESSION['visitor_visiting'] = $r[0]['uid'];
$_SESSION['my_url'] = $r[0]['url'];
Session::setVisitorsContacts();
if (!$quiet) {
info(L10n::t('%1$s welcomes %2$s', $r[0]['username'], $r[0]['name']) . EOL);
}

3
mod/dfrn_request.php
View file

@ -19,6 +19,7 @@ use Friendica\Core\Logger;
use Friendica\Core\Protocol;
use Friendica\Core\Renderer;
use Friendica\Core\System;
use Friendica\Core\Session;
use Friendica\Database\DBA;
use Friendica\Model\Contact;
use Friendica\Model\Group;
@ -592,7 +593,7 @@ function dfrn_request_content(App $a)
exit();
} else {
// Normal web request. Display our user's introduction form.
if ((Config::get('system', 'block_public')) && (!local_user()) && (!remote_user())) {
if (Config::get('system', 'block_public') && !Session::isAuthenticated()) {
if (!Config::get('system', 'local_block')) {
notice(L10n::t('Public access denied.') . EOL);
return;

41
mod/display.php
View file

@ -14,6 +14,7 @@ use Friendica\Core\Logger;
use Friendica\Core\Protocol;
use Friendica\Core\Renderer;
use Friendica\Core\System;
use Friendica\Core\Session;
use Friendica\Database\DBA;
use Friendica\Model\Contact;
use Friendica\Model\Group;
@ -31,7 +32,7 @@ function display_init(App $a)
Objects::rawContent();
}
if (Config::get('system', 'block_public') && !local_user() && !remote_user()) {
if (Config::get('system', 'block_public') && !Session::isAuthenticated()) {
return;
}
@ -52,9 +53,11 @@ function display_init(App $a)
if (DBA::isResult($item)) {
$nick = $a->user["nickname"];
}
}
// Is this item private but could be visible to the remove visitor?
} elseif (remote_user()) {
$item = Item::selectFirst($fields, ['guid' => $a->argv[1], 'private' => 1]);
if (!DBA::isResult($item) && remote_user()) {
$item = Item::selectFirst($fields, ['guid' => $a->argv[1], 'private' => 1, 'origin' => true]);
if (DBA::isResult($item)) {
if (!Contact::isFollower(remote_user(), $item['uid'])) {
$item = null;
@ -84,10 +87,6 @@ function display_init(App $a)
displayShowFeed($item['id'], $a->argc > 3 && $a->argv[3] == 'conversation.atom');
}
if ($a->argc >= 3 && $nick == 'feed-item') {
displayShowFeed($item['id'], $a->argc > 3 && $a->argv[3] == 'conversation.atom');
}
if (!empty($_SERVER['HTTP_ACCEPT']) && strstr($_SERVER['HTTP_ACCEPT'], 'application/atom+xml')) {
Logger::log('Directly serving XML for id '.$item["id"], Logger::DEBUG);
displayShowFeed($item["id"], false);
@ -102,7 +101,7 @@ function display_init(App $a)
if (strstr(Strings::normaliseLink($profiledata["url"]), Strings::normaliseLink(System::baseUrl()))) {
$nickname = str_replace(Strings::normaliseLink(System::baseUrl())."/profile/", "", Strings::normaliseLink($profiledata["url"]));
if (($nickname != $a->user["nickname"])) {
if ($nickname != $a->user["nickname"]) {
$profile = DBA::fetchFirst("SELECT `profile`.`uid` AS `profile_uid`, `profile`.* , `contact`.`avatar-date` AS picdate, `user`.* FROM `profile`
INNER JOIN `contact` on `contact`.`uid` = `profile`.`uid` INNER JOIN `user` ON `profile`.`uid` = `user`.`uid`
WHERE `user`.`nickname` = ? AND `profile`.`is-default` AND `contact`.`self` LIMIT 1",
@ -197,7 +196,7 @@ function display_fetchauthor($a, $item)
function display_content(App $a, $update = false, $update_uid = 0)
{
if (Config::get('system','block_public') && !local_user() && !remote_user()) {
if (Config::get('system','block_public') && !Session::isAuthenticated()) {
throw new HTTPException\ForbiddenException(L10n::t('Public access denied.'));
}
@ -229,8 +228,10 @@ function display_content(App $a, $update = false, $update_uid = 0)
$item_parent = $item["parent"];
$item_parent_uri = $item['parent-uri'];
}
} elseif (remote_user()) {
$item = Item::selectFirst($fields, ['guid' => $a->argv[1], 'private' => 1]);
}
if (($item_parent == 0) && remote_user()) {
$item = Item::selectFirst($fields, ['guid' => $a->argv[1], 'private' => 1, 'origin' => true]);
if (DBA::isResult($item) && Contact::isFollower(remote_user(), $item['uid'])) {
$item_id = $item["id"];
$item_parent = $item["parent"];
@ -269,8 +270,6 @@ function display_content(App $a, $update = false, $update_uid = 0)
['$alternate' => $alternate,
'$conversation' => $conversation]);
$groups = [];
$remote_cid = null;
$is_remote_contact = false;
$item_uid = local_user();
@ -279,24 +278,18 @@ function display_content(App $a, $update = false, $update_uid = 0)
if (DBA::isResult($parent)) {
$a->profile['uid'] = defaults($a->profile, 'uid', $parent['uid']);
$a->profile['profile_uid'] = defaults($a->profile, 'profile_uid', $parent['uid']);
$is_remote_contact = Contact::isFollower(remote_user(), $a->profile['profile_uid']);
$is_remote_contact = Session::getRemoteContactID($a->profile['profile_uid']);
if ($is_remote_contact) {
$cdata = Contact::getPublicAndUserContacID(remote_user(), $a->profile['profile_uid']);
if (!empty($cdata['user'])) {
$groups = Group::getIdsByContactId($cdata['user']);
$remote_cid = $cdata['user'];
$item_uid = $parent['uid'];
}
$item_uid = $parent['uid'];
}
}
}
$page_contact = DBA::selectFirst('contact', [], ['self' => true, 'uid' => $a->profile['uid']]);
if (DBA::isResult($page_contact)) {
$a->page_contact = $page_contact;
}
$is_owner = (local_user() && (in_array($a->profile['profile_uid'], [local_user(), 0])) ? true : false);
if (!empty($a->profile['hidewall']) && !$is_owner && !$is_remote_contact) {
@ -318,7 +311,7 @@ function display_content(App $a, $update = false, $update_uid = 0)
];
$o .= status_editor($a, $x, 0, true);
}
$sql_extra = Item::getPermissionsSQLByUserId($a->profile['profile_uid'], $is_remote_contact, $groups, $remote_cid);
$sql_extra = Item::getPermissionsSQLByUserId($a->profile['profile_uid']);
if (local_user() && (local_user() == $a->profile['profile_uid'])) {
$condition = ['parent-uri' => $item_parent_uri, 'uid' => local_user(), 'unseen' => true];
@ -333,7 +326,7 @@ function display_content(App $a, $update = false, $update_uid = 0)
$condition = ["`id` = ? AND `item`.`uid` IN (0, ?) " . $sql_extra, $item_id, $item_uid];
$fields = ['parent-uri', 'body', 'title', 'author-name', 'author-avatar', 'plink', 'author-id', 'owner-id', 'contact-id'];
$item = Item::selectFirstForUser(local_user(), $fields, $condition);
$item = Item::selectFirstForUser($a->profile['profile_uid'], $fields, $condition);
if (!DBA::isResult($item)) {
throw new HTTPException\NotFoundException(L10n::t('The requested item doesn\'t exist or has been deleted.'));

3
mod/hcard.php
View file

@ -6,13 +6,14 @@ use Friendica\App;
use Friendica\Core\Config;
use Friendica\Core\L10n;
use Friendica\Core\System;
use Friendica\Core\Session;
use Friendica\Model\Contact;
use Friendica\Model\Profile;
use Friendica\Model\User;
function hcard_init(App $a)
{
$blocked = Config::get('system', 'block_public') && !local_user() && !remote_user();
$blocked = Config::get('system', 'block_public') && !Session::isAuthenticated();
if ($a->argc > 1) {
$which = $a->argv[1];

19
mod/item.php
View file

@ -25,6 +25,7 @@ use Friendica\Core\L10n;
use Friendica\Core\Logger;
use Friendica\Core\Protocol;
use Friendica\Core\System;
use Friendica\Core\Session;
use Friendica\Core\Worker;
use Friendica\Database\DBA;
use Friendica\Model\Attach;
@ -45,7 +46,7 @@ use Friendica\Worker\Delivery;
require_once __DIR__ . '/../include/items.php';
function item_post(App $a) {
if (!local_user() && !remote_user()) {
if (!Session::isAuthenticated()) {
return 0;
}
@ -348,18 +349,8 @@ function item_post(App $a) {
if (local_user() && ((local_user() == $profile_uid) || $allow_comment)) {
$self = true;
$author = DBA::selectFirst('contact', [], ['uid' => local_user(), 'self' => true]);
} elseif (remote_user()) {
if (!empty($_SESSION['remote']) && is_array($_SESSION['remote'])) {
foreach ($_SESSION['remote'] as $v) {
if ($v['uid'] == $profile_uid) {
$contact_id = $v['cid'];
break;
}
}
}
if ($contact_id) {
$author = DBA::selectFirst('contact', [], ['id' => $contact_id]);
}
} elseif (!empty(Session::getRemoteContactID($profile_uid))) {
$author = DBA::selectFirst('contact', [], ['id' => Session::getRemoteContactID($profile_uid)]);
}
if (DBA::isResult($author)) {
@ -870,7 +861,7 @@ function item_post_return($baseurl, $api_source, $return_path)
function item_content(App $a)
{
if (!local_user() && !remote_user()) {
if (!Session::isAuthenticated()) {
return;
}

78
mod/photos.php
View file

@ -15,6 +15,7 @@ use Friendica\Core\L10n;
use Friendica\Core\Logger;
use Friendica\Core\Renderer;
use Friendica\Core\System;
use Friendica\Core\Session;
use Friendica\Database\DBA;
use Friendica\Model\Contact;
use Friendica\Model\Group;
@ -35,11 +36,7 @@ use Friendica\Util\XML;
function photos_init(App $a) {
if ($a->argc > 1) {
DFRN::autoRedir($a, $a->argv[1]);
}
if (Config::get('system', 'block_public') && !local_user() && !remote_user()) {
if (Config::get('system', 'block_public') && !Session::isAuthenticated()) {
return;
}
@ -73,7 +70,7 @@ function photos_init(App $a) {
$albums = Photo::getAlbums($a->data['user']['uid']);
$albums_visible = ((intval($a->data['user']['hidewall']) && !local_user() && !remote_user()) ? false : true);
$albums_visible = ((intval($a->data['user']['hidewall']) && !Session::isAuthenticated()) ? false : true);
// add various encodings to the array so we can just loop through and pick them out in a template
$ret = ['success' => false];
@ -88,7 +85,7 @@ function photos_init(App $a) {
$ret['albums'] = [];
foreach ($albums as $k => $album) {
//hide profile photos to others
if (!$is_owner && !remote_user() && ($album['album'] == L10n::t('Profile Photos')))
if (!$is_owner && !Session::getRemoteContactID($a->profile_uid) && ($album['album'] == L10n::t('Profile Photos')))
continue;
$entry = [
'text' => $album['album'],
@ -154,15 +151,10 @@ function photos_post(App $a)
if (local_user() && (local_user() == $page_owner_uid)) {
$can_post = true;
} elseif ($community_page && remote_user($page_owner_uid)) {
$contact_id = remote_user($page_owner_uid);
if ($contact_id > 0) {
if (DBA::exists('contact', ['id' => $contact_id, 'uid' => $page_owner_uid, 'blocked' => false, 'pending' => false])) {
$can_post = true;
$visitor = $contact_id;
}
}
} elseif ($community_page && !empty(Session::getRemoteContactID($page_owner_uid))) {
$contact_id = Session::getRemoteContactID($page_owner_uid);
$can_post = true;
$visitor = $contact_id;
}
if (!$can_post) {
@ -837,7 +829,7 @@ function photos_content(App $a)
// photos/name/image/xxxxx/edit
// photos/name/image/xxxxx/drop
if (Config::get('system', 'block_public') && !local_user() && !remote_user()) {
if (Config::get('system', 'block_public') && !Session::isAuthenticated()) {
notice(L10n::t('Public access denied.') . EOL);
return;
}
@ -883,50 +875,24 @@ function photos_content(App $a)
if (local_user() && (local_user() == $owner_uid)) {
$can_post = true;
} else {
if ($community_page && remote_user()) {
if (is_array($_SESSION['remote'])) {
foreach ($_SESSION['remote'] as $v) {
if ($v['uid'] == $owner_uid) {
$contact_id = $v['cid'];
break;
}
}
}
} elseif ($community_page && !empty(Session::getRemoteContactID($owner_uid))) {
$contact_id = Session::getRemoteContactID($owner_uid);
$contact = DBA::selectFirst('contact', [], ['id' => $contact_id, 'uid' => $owner_uid, 'blocked' => false, 'pending' => false]);
if ($contact_id) {
$contact = DBA::selectFirst('contact', [], ['id' => $contact_id, 'uid' => $owner_uid, 'blocked' => false, 'pending' => false]);
if (DBA::isResult($contact)) {
$can_post = true;
$remote_contact = true;
$visitor = $contact_id;
}
}
if (DBA::isResult($contact)) {
$can_post = true;
$remote_contact = true;
$visitor = $contact_id;
}
}
$groups = [];
// perhaps they're visiting - but not a community page, so they wouldn't have write access
if (remote_user() && !$visitor) {
$contact_id = 0;
if (is_array($_SESSION['remote'])) {
foreach ($_SESSION['remote'] as $v) {
if ($v['uid'] == $owner_uid) {
$contact_id = $v['cid'];
break;
}
}
}
if (!empty(Session::getRemoteContactID($owner_uid)) && !$visitor) {
$contact_id = Session::getRemoteContactID($owner_uid);
if ($contact_id) {
$groups = Group::getIdsByContactId($contact_id);
$contact = DBA::selectFirst('contact', [], ['id' => $contact_id, 'uid' => $owner_uid, 'blocked' => false, 'pending' => false]);
$contact = DBA::selectFirst('contact', [], ['id' => $contact_id, 'uid' => $owner_uid, 'blocked' => false, 'pending' => false]);
$remote_contact = DBA::isResult($contact);
}
$remote_contact = DBA::isResult($contact);
}
if (!$remote_contact && local_user()) {
@ -939,7 +905,7 @@ function photos_content(App $a)
return;
}
$sql_extra = Security::getPermissionsSQLByUserId($owner_uid, $remote_contact, $groups);
$sql_extra = Security::getPermissionsSQLByUserId($owner_uid);
$o = "";
@ -1598,7 +1564,7 @@ function photos_content(App $a)
$twist = false;
foreach ($r as $rr) {
//hide profile photos to others
if (!$is_owner && !remote_user() && ($rr['album'] == L10n::t('Profile Photos'))) {
if (!$is_owner && !Session::getRemoteContactID($owner_uid) && ($rr['album'] == L10n::t('Profile Photos'))) {
continue;
}

49
mod/redir.php
View file

@ -35,7 +35,7 @@ function redir_init(App $a) {
$contact_url = $contact['url'];
if ((!local_user() && !remote_user()) // Visitors (not logged in or not remotes) can't authenticate.
if (!Session::isAuthenticated() // Visitors (not logged in or not remotes) can't authenticate.
|| (!empty($a->contact['id']) && $a->contact['id'] == $cid)) // Local user is already authenticated.
{
$a->redirect(defaults($url, $contact_url));
@ -66,34 +66,16 @@ function redir_init(App $a) {
// with the local contact. Otherwise the local user would ask the local contact
// for authentification everytime he/she is visiting a profile page of the local
// contact.
if ($host == $remotehost
&& !empty($_SESSION['remote'])
&& is_array($_SESSION['remote']))
{
foreach ($_SESSION['remote'] as $v) {
if (!empty($v['uid']) && !empty($v['cid']) &&
$v['uid'] == Session::get('visitor_visiting') &&
$v['cid'] == Session::get('visitor_id')) {
// Remote user is already authenticated.
$target_url = defaults($url, $contact_url);
Logger::log($contact['name'] . " is already authenticated. Redirecting to " . $target_url, Logger::DEBUG);
$a->redirect($target_url);
}
}
if (($host == $remotehost) && (Session::getRemoteContactID(Session::get('visitor_visiting')) == Session::get('visitor_id'))) {
// Remote user is already authenticated.
$target_url = defaults($url, $contact_url);
Logger::log($contact['name'] . " is already authenticated. Redirecting to " . $target_url, Logger::DEBUG);
$a->redirect($target_url);
}
}
// When the remote page does support OWA, then we enforce the use of it
$basepath = Contact::getBasepath($contact_url);
if (Strings::compareLink($basepath, System::baseUrl())) {
$use_magic = true;
} else {
$serverret = Network::curl($basepath . '/magic');
$use_magic = $serverret->isSuccess();
}
// Doing remote auth with dfrn.
if (local_user() && !$use_magic && (!empty($contact['dfrn-id']) || !empty($contact['issued-id'])) && empty($contact['pending'])) {
if (local_user() && (!empty($contact['dfrn-id']) || !empty($contact['issued-id'])) && empty($contact['pending'])) {
$dfrn_id = $orig_id = (($contact['issued-id']) ? $contact['issued-id'] : $contact['dfrn-id']);
if ($contact['duplex'] && $contact['issued-id']) {
@ -148,23 +130,6 @@ function redir_magic($a, $cid, $url)
Logger::info('Got my url', ['visitor' => $visitor]);
}
/// @todo Most likely these lines are superfluous. We will remove them in the next version
if (empty($visitor) && remote_user()) {
$contact = DBA::selectFirst('contact', ['url'], ['id' => remote_user()]);
if (!empty($contact['url'])) {
$visitor = $contact['url'];
Logger::info('Got remote user', ['visitor' => $visitor]);
}
}
if (empty($visitor) && local_user()) {
$contact = DBA::selectFirst('contact', ['url'], ['id' => local_user()]);
if (!empty($contact['url'])) {
$visitor = $contact['url'];
Logger::info('Got local user', ['visitor' => $visitor]);
}
}
$contact = DBA::selectFirst('contact', ['url'], ['id' => $cid]);
if (!DBA::isResult($contact)) {
Logger::info('Contact not found', ['id' => $cid]);

7
mod/search.php
View file

@ -11,6 +11,7 @@ use Friendica\Core\Cache;
use Friendica\Core\Config;
use Friendica\Core\L10n;
use Friendica\Core\Logger;
use Friendica\Core\Session;
use Friendica\Core\Renderer;
use Friendica\Database\DBA;
use Friendica\Model\Item;
@ -83,18 +84,18 @@ function search_init(App $a) {
}
function search_content(App $a) {
if (Config::get('system','block_public') && !local_user() && !remote_user()) {
if (Config::get('system','block_public') && !Session::isAuthenticated()) {
notice(L10n::t('Public access denied.') . EOL);
return;
}
if (Config::get('system','local_search') && !local_user() && !remote_user()) {
if (Config::get('system','local_search') && !Session::isAuthenticated()) {
$e = new \Friendica\Network\HTTPException\ForbiddenException(L10n::t("Only logged in users are permitted to perform a search."));
$e->httpdesc = L10n::t("Public access denied.");
throw $e;
}
if (Config::get('system','permit_crawling') && !local_user() && !remote_user()) {
if (Config::get('system','permit_crawling') && !Session::isAuthenticated()) {
// Default values:
// 10 requests are "free", after the 11th only a call per minute is allowed

2
mod/subthread.php
View file

@ -15,7 +15,7 @@ use Friendica\Util\XML;
function subthread_content(App $a) {
if (!local_user() && !remote_user()) {
if (!Session::isAuthenticated()) {
return;
}

3
mod/tagger.php
View file

@ -7,6 +7,7 @@ use Friendica\Core\Hook;
use Friendica\Core\L10n;
use Friendica\Core\Logger;
use Friendica\Core\System;
use Friendica\Core\Session;
use Friendica\Core\Worker;
use Friendica\Database\DBA;
use Friendica\Model\Item;
@ -16,7 +17,7 @@ use Friendica\Worker\Delivery;
function tagger_content(App $a) {
if (!local_user() && !remote_user()) {
if (!Session::isAuthenticated()) {
return;
}

68
mod/videos.php
View file

@ -10,6 +10,7 @@ use Friendica\Core\Config;
use Friendica\Core\L10n;
use Friendica\Core\Renderer;
use Friendica\Core\System;
use Friendica\Core\Session;
use Friendica\Database\DBA;
use Friendica\Model\Attach;
use Friendica\Model\Contact;
@ -22,11 +23,7 @@ use Friendica\Util\Security;
function videos_init(App $a)
{
if ($a->argc > 1) {
DFRN::autoRedir($a, $a->argv[1]);
}
if ((Config::get('system', 'block_public')) && (!local_user()) && (!remote_user())) {
if (Config::get('system', 'block_public') && !Session::isAuthenticated()) {
return;
}
@ -114,7 +111,7 @@ function videos_content(App $a)
// videos/name/video/xxxxx/edit
if ((Config::get('system', 'block_public')) && (!local_user()) && (!remote_user())) {
if (Config::get('system', 'block_public') && !Session::isAuthenticated()) {
notice(L10n::t('Public access denied.') . EOL);
return;
}
@ -154,64 +151,25 @@ function videos_content(App $a)
if ((local_user()) && (local_user() == $owner_uid)) {
$can_post = true;
} elseif ($community_page && remote_user()) {
if (!empty($_SESSION['remote'])) {
foreach ($_SESSION['remote'] as $v) {
if ($v['uid'] == $owner_uid) {
$contact_id = $v['cid'];
break;
}
}
}
if ($contact_id > 0) {
$r = q("SELECT `uid` FROM `contact` WHERE `blocked` = 0 AND `pending` = 0 AND `id` = %d AND `uid` = %d LIMIT 1",
intval($contact_id),
intval($owner_uid)
);
if (DBA::isResult($r)) {
$can_post = true;
$remote_contact = true;
$visitor = $contact_id;
}
}
} elseif ($community_page && !empty(Session::getRemoteContactID($owner_uid))) {
$contact_id = Session::getRemoteContactID($owner_uid);
$can_post = true;
$remote_contact = true;
$visitor = $contact_id;
}
$groups = [];
// perhaps they're visiting - but not a community page, so they wouldn't have write access
if (remote_user() && (!$visitor)) {
$contact_id = 0;
if (!empty($_SESSION['remote'])) {
foreach($_SESSION['remote'] as $v) {
if($v['uid'] == $owner_uid) {
$contact_id = $v['cid'];
break;
}
}
}
if ($contact_id > 0) {
$groups = Group::getIdsByContactId($contact_id);
$r = q("SELECT * FROM `contact` WHERE `blocked` = 0 AND `pending` = 0 AND `id` = %d AND `uid` = %d LIMIT 1",
intval($contact_id),
intval($owner_uid)
);
if (DBA::isResult($r)) {
$remote_contact = true;
}
}
if (!empty(Session::getRemoteContactID($owner_uid)) && !$visitor) {
$contact_id = Session::getRemoteContactID($owner_uid);
$remote_contact = true;
}
if ($a->data['user']['hidewall'] && (local_user() != $owner_uid) && (!$remote_contact)) {
if ($a->data['user']['hidewall'] && (local_user() != $owner_uid) && !$remote_contact) {
notice(L10n::t('Access to this item is restricted.') . EOL);
return;
}
$sql_extra = Security::getPermissionsSQLByUserId($owner_uid, $remote_contact, $groups);
$sql_extra = Security::getPermissionsSQLByUserId($owner_uid);
$o = "";

35
mod/wall_attach.php
View file

@ -6,6 +6,7 @@
use Friendica\App;
use Friendica\Core\Config;
use Friendica\Core\L10n;
use Friendica\Core\Session;
use Friendica\Database\DBA;
use Friendica\Model\Attach;
use Friendica\Model\User;
@ -43,35 +44,21 @@ function wall_attach_post(App $a) {
$page_owner_cid = $r[0]['id'];
$community_page = (($r[0]['page-flags'] == User::PAGE_FLAGS_COMMUNITY) ? true : false);
if ((local_user()) && (local_user() == $page_owner_uid)) {
if (local_user() && (local_user() == $page_owner_uid)) {
$can_post = true;
} else {
if ($community_page && remote_user()) {
$contact_id = 0;
} elseif ($community_page && !empty(Session::getRemoteContactID($page_owner_uid))) {
$contact_id = Session::getRemoteContactID($page_owner_uid);
$r = q("SELECT `uid` FROM `contact` WHERE `blocked` = 0 AND `pending` = 0 AND `id` = %d AND `uid` = %d LIMIT 1",
intval($contact_id),
intval($page_owner_uid)
);
if (is_array($_SESSION['remote'])) {
foreach ($_SESSION['remote'] as $v) {
if ($v['uid'] == $page_owner_uid) {
$contact_id = $v['cid'];
break;
}
}
}
if ($contact_id > 0) {
$r = q("SELECT `uid` FROM `contact` WHERE `blocked` = 0 AND `pending` = 0 AND `id` = %d AND `uid` = %d LIMIT 1",
intval($contact_id),
intval($page_owner_uid)
);
if (DBA::isResult($r)) {
$can_post = true;
}
}
if (DBA::isResult($r)) {
$can_post = true;
}
}
if (! $can_post) {
if (!$can_post) {
if ($r_json) {
echo json_encode(['error' => L10n::t('Permission denied.')]);
exit();

36
mod/wall_upload.php
View file

@ -12,6 +12,7 @@ use Friendica\App;
use Friendica\Core\L10n;
use Friendica\Core\Logger;
use Friendica\Core\System;
use Friendica\Core\Session;
use Friendica\Core\Config;
use Friendica\Database\DBA;
use Friendica\Model\Contact;
@ -74,34 +75,21 @@ function wall_upload_post(App $a, $desktopmode = true)
if ((local_user()) && (local_user() == $page_owner_uid)) {
$can_post = true;
} else {
if ($community_page && remote_user()) {
$contact_id = 0;
if (is_array($_SESSION['remote'])) {
foreach ($_SESSION['remote'] as $v) {
if ($v['uid'] == $page_owner_uid) {
$contact_id = $v['cid'];
break;
}
}
}
} elseif ($community_page && !empty(Session::getRemoteContactID($page_owner_uid))) {
$contact_id = Session::getRemoteContactID($page_owner_uid);
if ($contact_id) {
$r = q("SELECT `uid` FROM `contact`
WHERE `blocked` = 0 AND `pending` = 0
AND `id` = %d AND `uid` = %d LIMIT 1",
intval($contact_id),
intval($page_owner_uid)
);
if (DBA::isResult($r)) {
$can_post = true;
$visitor = $contact_id;
}
}
$r = q("SELECT `uid` FROM `contact`
WHERE `blocked` = 0 AND `pending` = 0
AND `id` = %d AND `uid` = %d LIMIT 1",
intval($contact_id),
intval($page_owner_uid)
);
if (DBA::isResult($r)) {
$can_post = true;
$visitor = $contact_id;
}
}
if (!$can_post) {
if ($r_json) {
echo json_encode(['error' => L10n::t('Permission denied.')]);

4
src/Content/Nav.php
View file

@ -149,7 +149,7 @@ class Nav
$nav['usermenu'] = [];
$userinfo = null;
if (local_user() || remote_user()) {
if (Session::isAuthenticated()) {
$nav['logout'] = ['logout', L10n::t('Logout'), '', L10n::t('End this session')];
} else {
$nav['login'] = ['login', L10n::t('Login'), ($a->module == 'login' ? 'selected' : ''), L10n::t('Sign in')];
@ -182,7 +182,7 @@ class Nav
$nav['home'] = [$homelink, L10n::t('Home'), '', L10n::t('Home Page')];
}
if (intval(Config::get('config', 'register_policy')) === \Friendica\Module\Register::OPEN && !local_user() && !remote_user()) {
if (intval(Config::get('config', 'register_policy')) === \Friendica\Module\Register::OPEN && !Session::isAuthenticated()) {
$nav['register'] = ['register', L10n::t('Register'), '', L10n::t('Create an account')];
}

3
src/Content/Widget.php
View file

@ -11,6 +11,7 @@ use Friendica\Core\PConfig;
use Friendica\Core\Protocol;
use Friendica\Core\Renderer;
use Friendica\Core\System;
use Friendica\Core\Session;
use Friendica\Database\DBA;
use Friendica\Model\Contact;
use Friendica\Model\FileTag;
@ -339,7 +340,7 @@ class Widget
$zcid = 0;
$cid = remote_user($profile_uid);
$cid = Session::getRemoteContactID($profile_uid);
if (!$cid) {
if (Profile::getMyURL()) {

3
src/Core/ACL.php
View file

@ -11,6 +11,7 @@ use Friendica\Content\Feature;
use Friendica\Database\DBA;
use Friendica\Model\Contact;
use Friendica\Model\GContact;
use Friendica\Core\Session;
use Friendica\Util\Network;
/**
@ -333,7 +334,7 @@ class ACL extends BaseObject
*/
public static function contactAutocomplete($search, $mode, int $page = 1)
{
if (Config::get('system', 'block_public') && !local_user() && !remote_user()) {
if (Config::get('system', 'block_public') && !Session::isAuthenticated()) {
return [];
}

81
src/Core/Session.php
View file

@ -53,7 +53,7 @@ class Session
/**
* Retrieves a key from the session super global or the defaults if the key is missing or the value is falsy.
*
*
* Handle the case where session_start() hasn't been called and the super global isn't available.
*
* @param string $name
@ -119,21 +119,10 @@ class Session
'page_flags' => $user_record['page-flags'],
'my_url' => $a->getBaseURL() . '/profile/' . $user_record['nickname'],
'my_address' => $user_record['nickname'] . '@' . substr($a->getBaseURL(), strpos($a->getBaseURL(), '://') + 3),
'addr' => defaults($_SERVER, 'REMOTE_ADDR', '0.0.0.0'),
'remote' => []
'addr' => defaults($_SERVER, 'REMOTE_ADDR', '0.0.0.0')
]);
$remote_contacts = DBA::select('contact', ['id', 'uid'], ['nurl' => Strings::normaliseLink($_SESSION['my_url']), 'rel' => [Contact::FOLLOWER, Contact::FRIEND], 'self' => false]);
while ($contact = DBA::fetch($remote_contacts)) {
if (($contact['uid'] == 0) || Contact::isBlockedByUser($contact['id'], $contact['uid'])) {
continue;
}
/// @todo Change it to this format to save space
// $_SESSION['remote'][$contact['uid']] = $contact['id'];
$_SESSION['remote'][$contact['uid']] = ['cid' => $contact['id'], 'uid' => $contact['uid']];
}
DBA::close($remote_contacts);
self::setVisitorsContacts();
$member_since = strtotime($user_record['register_date']);
self::set('new_member', time() < ($member_since + ( 60 * 60 * 24 * 14)));
@ -216,4 +205,68 @@ class Session
}
}
}
/**
* Returns contact ID for given user ID
*
* @param integer $uid User ID
* @return integer Contact ID of visitor for given user ID
*/
public static function getRemoteContactID($uid)
{
if (empty($_SESSION['remote'][$uid])) {
return false;
}
return $_SESSION['remote'][$uid];
}
/**
* Returns User ID for given contact ID of the visitor
*
* @param integer $cid Contact ID
* @return integer User ID for given contact ID of the visitor
*/
public static function getUserIDForVisitorContactID($cid)
{
if (empty($_SESSION['remote'])) {
return false;
}
return array_search($cid, $_SESSION['remote']);
}
/**
* Set the session variable that contains the contact IDs for the visitor's contact URL
*
* @param string $url Contact URL
*/
public static function setVisitorsContacts()
{
$_SESSION['remote'] = [];
$remote_contacts = DBA::select('contact', ['id', 'uid'], ['nurl' => Strings::normaliseLink($_SESSION['my_url']), 'rel' => [Contact::FOLLOWER, Contact::FRIEND], 'self' => false]);
while ($contact = DBA::fetch($remote_contacts)) {
if (($contact['uid'] == 0) || Contact::isBlockedByUser($contact['id'], $contact['uid'])) {
continue;
}
$_SESSION['remote'][$contact['uid']] = $contact['id'];
}
DBA::close($remote_contacts);
}
/**
* Returns if the current visitor is authenticated
*
* @return boolean "true" when visitor is either a local or remote user
*/
public static function isAuthenticated()
{
if (empty($_SESSION['authenticated'])) {
return false;
}
return $_SESSION['authenticated'];
}
}

7
src/Model/Contact.php
View file

@ -13,6 +13,7 @@ use Friendica\Core\L10n;
use Friendica\Core\Logger;
use Friendica\Core\Protocol;
use Friendica\Core\System;
use Friendica\Core\Session;
use Friendica\Core\Worker;
use Friendica\Database\DBA;
use Friendica\Network\Probe;
@ -1213,7 +1214,7 @@ class Contact extends BaseObject
}
if (($contact['network'] == Protocol::DFRN) && !$contact['self'] && empty($contact['pending'])) {
$poke_link = System::baseUrl() . '/poke/?f=&c=' . $contact['id'];
$poke_link = System::baseUrl() . '/poke/?c=' . $contact['id'];
}
$contact_url = System::baseUrl() . '/contact/' . $contact['id'];
@ -2679,7 +2680,7 @@ class Contact extends BaseObject
*/
public static function magicLink($contact_url, $url = '')
{
if (!local_user() && !remote_user()) {
if (!Session::isAuthenticated()) {
return $url ?: $contact_url; // Equivalent to: ($url != '') ? $url : $contact_url;
}
@ -2725,7 +2726,7 @@ class Contact extends BaseObject
{
$destination = $url ?: $contact['url']; // Equivalent to ($url != '') ? $url : $contact['url'];
if ((!local_user() && !remote_user()) || ($contact['network'] != Protocol::DFRN)) {
if (!Session::isAuthenticated() || ($contact['network'] != Protocol::DFRN)) {
return $destination;
}

11
src/Model/Item.php
View file

@ -18,6 +18,7 @@ use Friendica\Core\PConfig;
use Friendica\Core\Protocol;
use Friendica\Core\Renderer;
use Friendica\Core\System;
use Friendica\Core\Session;
use Friendica\Core\Worker;
use Friendica\Database\DBA;
use Friendica\Protocol\ActivityPub;
@ -3028,7 +3029,7 @@ class Item extends BaseObject
*/
public static function performLike($item_id, $verb)
{
if (!local_user() && !remote_user()) {
if (!Session::isAuthenticated()) {
return false;
}
@ -3260,10 +3261,10 @@ class Item extends BaseObject
}
}
public static function getPermissionsSQLByUserId($owner_id, $remote_verified = false, $groups = null, $remote_cid = null)
public static function getPermissionsSQLByUserId($owner_id)
{
$local_user = local_user();
$remote_user = remote_user();
$remote_user = Session::getRemoteContactID($owner_id);
/*
* Construct permissions
@ -3283,7 +3284,7 @@ class Item extends BaseObject
* If pre-verified, the caller is expected to have already
* done this and passed the groups into this function.
*/
$set = PermissionSet::get($owner_id, $remote_cid, $groups);
$set = PermissionSet::get($owner_id, $remote_user);
if (!empty($set)) {
$sql_set = " OR (`item`.`private` IN (1,2) AND `item`.`wall` AND `item`.`psid` IN (" . implode(',', $set) . "))";
@ -3427,7 +3428,7 @@ class Item extends BaseObject
}
// Update the cached values if there is no "zrl=..." on the links.
$update = (!local_user() && !remote_user() && ($item["uid"] == 0));
$update = (!Session::isAuthenticated() && ($item["uid"] == 0));
// Or update it if the current viewer is the intented viewer.
if (($item["uid"] == local_user()) && ($item["uid"] != 0)) {

15
src/Model/PermissionSet.php
View file

@ -67,21 +67,20 @@ class PermissionSet extends BaseObject
*
* @param integer $uid User id whom the items belong
* @param integer $contact_id Contact id of the visitor
* @param array $groups Possibly previously fetched group ids for that contact
*
* @return array of permission set ids.
* @throws \Exception
*/
static public function get($uid, $contact_id, $groups = null)
static public function get($uid, $contact_id)
{
if (empty($groups) && DBA::exists('contact', ['id' => $contact_id, 'uid' => $uid, 'blocked' => false])) {
if (DBA::exists('contact', ['id' => $contact_id, 'uid' => $uid, 'blocked' => false])) {
$groups = Group::getIdsByContactId($contact_id);
}
if (empty($groups) || !is_array($groups)) {
return [];
}
$group_str = '<<>>'; // should be impossible to match
foreach ($groups as $g) {
@ -90,11 +89,9 @@ class PermissionSet extends BaseObject
$contact_str = '<' . $contact_id . '>';
$condition = ["`uid` = ? AND (`allow_cid` = '' OR`allow_cid` REGEXP ?)
AND (`deny_cid` = '' OR NOT `deny_cid` REGEXP ?)
AND (`allow_gid` = '' OR `allow_gid` REGEXP ?)
AND (`deny_gid` = '' OR NOT `deny_gid` REGEXP ?)",
$uid, $contact_str, $contact_str, $group_str, $group_str];
$condition = ["`uid` = ? AND (NOT (`deny_cid` REGEXP ? OR deny_gid REGEXP ?)
AND (allow_cid REGEXP ? OR allow_gid REGEXP ? OR (allow_cid = '' AND allow_gid = '')))",
$uid, $contact_str, $group_str, $contact_str, $group_str];
$ret = DBA::select('permissionset', ['id'], $condition);
$set = [];

22
src/Model/Photo.php
View file

@ -131,31 +131,17 @@ class Photo extends BaseObject
*/
public static function getPhoto($resourceid, $scale = 0)
{
$r = self::selectFirst(["uid", "allow_cid", "allow_gid", "deny_cid", "deny_gid"], ["resource-id" => $resourceid]);
if ($r === false) {
$r = self::selectFirst(["uid"], ["resource-id" => $resourceid]);
if (!DBA::isResult($r)) {
return false;
}
$uid = $r["uid"];
// This is the first place, when retrieving just a photo, that we know who owns the photo.
// Check if the photo is public (empty allow and deny means public), if so, skip auth attempt, if not
// make sure that the requester's session is appropriately authenticated to that user
// otherwise permissions checks done by getPermissionsSQLByUserId() won't work correctly
if (!empty($r["allow_cid"]) || !empty($r["allow_gid"]) || !empty($r["deny_cid"]) || !empty($r["deny_gid"])) {
$r = DBA::selectFirst("user", ["nickname"], ["uid" => $uid], []);
// this will either just return (if auth all ok) or will redirect and exit (starting over)
DFRN::autoRedir(self::getApp(), $r["nickname"]);
}
$uid = $r["uid"];
$sql_acl = Security::getPermissionsSQLByUserId($uid);
$conditions = [
"`resource-id` = ? AND `scale` <= ? " . $sql_acl,
$resourceid, $scale
];
$conditions = ["`resource-id` = ? AND `scale` <= ? " . $sql_acl, $resourceid, $scale];
$params = ["order" => ["scale" => true]];
$photo = self::selectFirst([], $conditions, $params);
return $photo;

57
src/Model/Profile.php
View file

@ -215,7 +215,7 @@ class Profile
);
}
$block = ((Config::get('system', 'block_public') && !local_user() && !remote_user()) ? true : false);
$block = ((Config::get('system', 'block_public') && !Session::isAuthenticated()) ? true : false);
/**
* @todo
@ -248,15 +248,10 @@ class Profile
*/
public static function getByNickname($nickname, $uid = 0, $profile_id = 0)
{
if (remote_user($uid) && !empty($_SESSION['remote'])) {
foreach ($_SESSION['remote'] as $visitor) {
if ($visitor['uid'] == $uid) {
$contact = DBA::selectFirst('contact', ['profile-id'], ['id' => $visitor['cid']]);
if (DBA::isResult($contact)) {
$profile_id = $contact['profile-id'];
}
break;
}
if (!empty(Session::getRemoteContactID($uid))) {
$contact = DBA::selectFirst('contact', ['profile-id'], ['id' => Session::getRemoteContactID($uid)]);
if (DBA::isResult($contact)) {
$profile_id = $contact['profile-id'];
}
}
@ -453,7 +448,7 @@ class Profile
$about = !empty($profile['about']) ? L10n::t('About:') : false;
$xmpp = !empty($profile['xmpp']) ? L10n::t('XMPP:') : false;
if ((!empty($profile['hidewall']) || $block) && !local_user() && !remote_user()) {
if ((!empty($profile['hidewall']) || $block) && !Session::isAuthenticated()) {
$location = $gender = $marital = $homepage = $about = false;
}
@ -1029,6 +1024,12 @@ class Profile
*
* Ported from Hubzilla: https://framagit.org/hubzilla/core/blob/master/include/channel.php
*
* The implementation for Friendica sadly differs in some points from the one for Hubzilla:
* - Hubzilla uses the "zid" parameter, while for Friendica it had been replaced with "zrl"
* - There seem to be some reverse authentication (rmagic) that isn't implemented in Friendica at all
*
* It would be favourable to harmonize the two implementations.
*
* @param App $a Application instance.
* @throws \Friendica\Network\HTTPException\InternalServerErrorException
* @throws \ImagickException
@ -1042,6 +1043,8 @@ class Profile
return;
}
$addr = $_GET['addr'] ?? $my_url;
$arr = ['zrl' => $my_url, 'url' => $a->cmd];
Hook::callAll('zrl_init', $arr);
@ -1072,19 +1075,19 @@ class Profile
Worker::add(PRIORITY_LOW, 'GProbe', $my_url);
// Try to avoid recursion - but send them home to do a proper magic auth.
$query = str_replace(array('?zrl=', '&zid='), array('?rzrl=', '&rzrl='), $a->query_string);
// Remove the "addr" parameter from the destination. It is later added as separate parameter again.
$addr_request = 'addr=' . urlencode($addr);
$query = rtrim(str_replace($addr_request, '', $a->query_string), '?&');
// The other instance needs to know where to redirect.
$dest = urlencode($a->getBaseURL() . '/' . $query);
// We need to extract the basebath from the profile url
// to redirect the visitors '/magic' module.
// Note: We should have the basepath of a contact also in the contact table.
$urlarr = explode('/profile/', $contact['url']);
$basepath = $urlarr[0];
$basepath = Contact::getBasepath($contact['url']);
if ($basepath != $a->getBaseURL() && !strstr($dest, '/magic') && !strstr($dest, '/rmagic')) {
$magic_path = $basepath . '/magic' . '?f=&owa=1&dest=' . $dest;
if ($basepath != $a->getBaseURL() && !strstr($dest, '/magic')) {
$magic_path = $basepath . '/magic' . '?owa=1&dest=' . $dest . '&' . $addr_request;
// We have to check if the remote server does understand /magic without invoking something
$serverret = Network::curl($basepath . '/magic');
@ -1121,17 +1124,7 @@ class Profile
$_SESSION['visitor_home'] = $visitor['url'];
$_SESSION['my_url'] = $visitor['url'];
/// @todo replace this and the query for this variable with some cleaner functionality
$_SESSION['remote'] = [];
$remote_contacts = DBA::select('contact', ['id', 'uid'], ['nurl' => $visitor['nurl'], 'rel' => [Contact::FOLLOWER, Contact::FRIEND], 'self' => false]);
while ($contact = DBA::fetch($remote_contacts)) {
if (($contact['uid'] == 0) || Contact::isBlockedByUser($visitor['id'], $contact['uid'])) {
continue;
}
$_SESSION['remote'][$contact['uid']] = ['cid' => $contact['id'], 'uid' => $contact['uid']];
}
Session::setVisitorsContacts();
$a->contact = $visitor;
@ -1193,7 +1186,7 @@ class Profile
if (!strlen($s)) {
return $s;
}
if ((!strpos($s, '/profile/')) && (!$force)) {
if (!strpos($s, '/profile/') && !$force) {
return $s;
}
if ($force && substr($s, -1, 1) !== '/') {
@ -1250,7 +1243,7 @@ class Profile
if (!empty($search)) {
$searchTerm = '%' . $search . '%';
$cnt = DBA::fetchFirst("SELECT COUNT(*) AS `total`
$cnt = DBA::fetchFirst("SELECT COUNT(*) AS `total`
FROM `profile`
LEFT JOIN `user` ON `user`.`uid` = `profile`.`uid`
WHERE `is-default` $publish AND NOT `user`.`blocked` AND NOT `user`.`account_removed`
@ -1272,7 +1265,7 @@ class Profile
$searchTerm, $searchTerm, $searchTerm, $searchTerm, $searchTerm, $searchTerm, $searchTerm, $searchTerm,
$searchTerm, $searchTerm, $searchTerm, $searchTerm, $searchTerm, $searchTerm, $searchTerm);
} else {
$cnt = DBA::fetchFirst("SELECT COUNT(*) AS `total`
$cnt = DBA::fetchFirst("SELECT COUNT(*) AS `total`
FROM `profile`
LEFT JOIN `user` ON `user`.`uid` = `profile`.`uid`
WHERE `is-default` $publish AND NOT `user`.`blocked` AND NOT `user`.`account_removed`");

2
src/Module/Debug/Localtime.php
View file

@ -39,7 +39,7 @@ class Localtime extends BaseModule
$output .= '<p>' . L10n::t('Converted localtime: %s', $app->data['mod-localtime']) . '</p>';
}
$output .= '<form action ="' . $app->getBaseURL() . '/localtime?f=&time=' . $time . '" method="post" >';
$output .= '<form action ="' . $app->getBaseURL() . '/localtime?time=' . $time . '" method="post" >';
$output .= '<p>' . L10n::t('Please select your timezone:') . '</p>';
$output .= Temporal::getTimezoneSelect(defaults($_REQUEST, 'timezone', Installer::DEFAULT_TZ));
$output .= '<input type="submit" name="submit" value="' . L10n::t('Submit') . '" /></form>';

5
src/Module/Directory.php
View file

@ -8,6 +8,7 @@ use Friendica\Content\Pager;
use Friendica\Content\Widget;
use Friendica\Core\Hook;
use Friendica\Core\L10n;
use Friendica\Core\Session;
use Friendica\Core\Renderer;
use Friendica\Model\Contact;
use Friendica\Model\Profile;
@ -25,8 +26,8 @@ class Directory extends BaseModule
$app = self::getApp();
$config = $app->getConfig();
if (($config->get('system', 'block_public') && !local_user() && !remote_user()) ||
($config->get('system', 'block_local_dir') && !local_user() && !remote_user())) {
if (($config->get('system', 'block_public') && !Session::isAuthenticated()) ||
($config->get('system', 'block_local_dir') && !Session::isAuthenticated())) {
throw new HTTPException\ForbiddenException(L10n::t('Public access denied.'));
}

3
src/Module/Like.php
View file

@ -4,6 +4,7 @@ namespace Friendica\Module;
use Friendica\BaseModule;
use Friendica\Model\Item;
use Friendica\Core\Session;
use Friendica\Network\HTTPException;
use Friendica\Util\Strings;
@ -14,7 +15,7 @@ class Like extends BaseModule
{
public static function rawContent()
{
if (!local_user() && !remote_user()) {
if (!Session::isAuthenticated()) {
throw new HTTPException\ForbiddenException();
}

2
src/Module/Logout.php
View file

@ -7,6 +7,7 @@ namespace Friendica\Module;
use Friendica\BaseModule;
use Friendica\Core\Authentication;
use Friendica\Core\Cache;
use Friendica\Core\Hook;
use Friendica\Core\L10n;
use Friendica\Core\System;
@ -27,6 +28,7 @@ class Logout extends BaseModule
$visitor_home = null;
if (remote_user()) {
$visitor_home = Profile::getMyURL();
Cache::delete('zrlInit:' . $visitor_home);
}
Hook::callAll("logging_out");

9
src/Module/Magic.php
View file

@ -32,15 +32,16 @@ class Magic extends BaseModule
$dest = defaults($_REQUEST, 'dest', '');
$test = (!empty($_REQUEST['test']) ? intval($_REQUEST['test']) : 0);
$owa = (!empty($_REQUEST['owa']) ? intval($_REQUEST['owa']) : 0);
$cid = 0;
if (!empty($addr)) {
$cid = Contact::getIdForURL($addr);
} else {
} elseif (!empty($dest)) {
$cid = Contact::getIdForURL($dest);
}
if (!$cid) {
Logger::log('No contact record found: ' . json_encode($_REQUEST), Logger::DEBUG);
Logger::info('No contact record found', $_REQUEST);
// @TODO Finding a more elegant possibility to redirect to either internal or external URL
$a->redirect($dest);
}
@ -96,9 +97,9 @@ class Magic extends BaseModule
} else {
$token = $j['token'];
}
$x = strpbrk($dest, '?&');
$args = (($x) ? '&owt=' . $token : '?f=&owt=' . $token);
$args = (strpbrk($dest, '?&') ? '&' : '?') . 'owt=' . $token;
Logger::info('Redirecting', ['path' => $dest . $args]);
System::externalRedirect($dest . $args);
}
}

25
src/Module/Profile.php
View file

@ -48,8 +48,6 @@ class Profile extends BaseModule
if (local_user() && $a->argc > 2 && $a->argv[2] === 'view') {
self::$which = $a->user['nickname'];
self::$profile = filter_var($a->argv[1], FILTER_SANITIZE_NUMBER_INT);
} else {
DFRN::autoRedir($a, self::$which);
}
}
@ -86,8 +84,8 @@ class Profile extends BaseModule
$a->page['htmlhead'] .= "\n";
$blocked = !local_user() && !remote_user() && Config::get('system', 'block_public');
$userblock = !local_user() && !remote_user() && $a->profile['hidewall'];
$blocked = !local_user() && !Session::getRemoteContactID($a->profile['profile_uid']) && Config::get('system', 'block_public');
$userblock = !local_user() && !Session::getRemoteContactID($a->profile['profile_uid']) && $a->profile['hidewall'];
if (!empty($a->profile['page-flags']) && $a->profile['page-flags'] == User::PAGE_FLAGS_COMMUNITY) {
$a->page['htmlhead'] .= '<meta name="friendica.community" content="true" />' . "\n";
@ -153,13 +151,10 @@ class Profile extends BaseModule
$hashtags = defaults($_GET, 'tag', '');
if (Config::get('system', 'block_public') && !local_user() && !remote_user()) {
if (Config::get('system', 'block_public') && !local_user() && !Session::getRemoteContactID($a->profile['profile_uid'])) {
return Login::form();
}
$groups = [];
$remote_cid = null;
$o = '';
if ($update) {
@ -169,17 +164,9 @@ class Profile extends BaseModule
Nav::setSelected('home');
}
$remote_contact = ContactModel::isFollower(remote_user(), $a->profile['profile_uid']);
$remote_contact = Session::getRemoteContactID($a->profile['profile_uid']);
$is_owner = local_user() == $a->profile['profile_uid'];
$last_updated_key = "profile:" . $a->profile['profile_uid'] . ":" . local_user() . ":" . remote_user();
if ($remote_contact) {
$cdata = ContactModel::getPublicAndUserContacID(remote_user(), $a->profile['profile_uid']);
if (!empty($cdata['user'])) {
$groups = Group::getIdsByContactId($cdata['user']);
$remote_cid = $cdata['user'];
}
}
$last_updated_key = "profile:" . $a->profile['profile_uid'] . ":" . local_user() . ":" . $remote_contact;
if (!empty($a->profile['hidewall']) && !$is_owner && !$remote_contact) {
notice(L10n::t('Access to this profile has been restricted.') . EOL);
@ -229,7 +216,7 @@ class Profile extends BaseModule
}
// Get permissions SQL - if $remote_contact is true, our remote user has been pre-verified and we already have fetched his/her groups
$sql_extra = Item::getPermissionsSQLByUserId($a->profile['profile_uid'], $remote_contact, $groups, $remote_cid);
$sql_extra = Item::getPermissionsSQLByUserId($a->profile['profile_uid']);
$sql_extra2 = '';
$last_updated_array = Session::get('last_updated', []);

3
src/Module/Profile/Contacts.php
View file

@ -10,6 +10,7 @@ use Friendica\Core\Config;
use Friendica\Core\L10n;
use Friendica\Core\Protocol;
use Friendica\Core\Renderer;
use Friendica\Core\Session;
use Friendica\Database\DBA;
use Friendica\Model\Contact;
use Friendica\Model\Profile;
@ -19,7 +20,7 @@ class Contacts extends BaseModule
{
public static function content()
{
if (Config::get('system', 'block_public') && !local_user() && !remote_user()) {
if (Config::get('system', 'block_public') && !Session::isAuthenticated()) {
throw new \Friendica\Network\HTTPException\NotFoundException(L10n::t('User not found.'));
}

13
src/Object/Post.php
View file

@ -14,8 +14,8 @@ use Friendica\Core\L10n;
use Friendica\Core\Logger;
use Friendica\Core\PConfig;
use Friendica\Core\Protocol;
use Friendica\Core\Renderer;
use Friendica\Core\Session;
use Friendica\Core\Renderer;
use Friendica\Database\DBA;
use Friendica\Model\Contact;
use Friendica\Model\Item;
@ -71,13 +71,8 @@ class Post extends BaseObject
$this->setTemplate('wall');
$this->toplevel = $this->getId() == $this->getDataValue('parent');
if (!empty($_SESSION['remote']) && is_array($_SESSION['remote'])) {
foreach ($_SESSION['remote'] as $visitor) {
if ($visitor['cid'] == $this->getDataValue('contact-id')) {
$this->visiting = true;
break;
}
}
if (!empty(Session::getUserIDForVisitorContactID($this->getDataValue('contact-id')))) {
$this->visiting = true;
}
$this->writable = $this->getDataValue('writable') || $this->getDataValue('self');
@ -224,7 +219,7 @@ class Post extends BaseObject
$author = ['uid' => 0, 'id' => $item['author-id'],
'network' => $item['author-network'], 'url' => $item['author-link']];
if (local_user() || remote_user()) {
if (Session::isAuthenticated()) {
$profile_link = Contact::magicLinkByContact($author);
} else {
$profile_link = $item['author-link'];

109
src/Protocol/DFRN.php
View file

@ -2849,115 +2849,6 @@ class DFRN
return 200;
}
/**
* @param App $a App
* @param string $contact_nick contact nickname
* @throws \Friendica\Network\HTTPException\InternalServerErrorException
*/
public static function autoRedir(App $a, $contact_nick)
{
// prevent looping
if (!empty($_REQUEST['redir'])) {
Logger::log('autoRedir might be looping because redirect has been redirected', Logger::DEBUG);
// looping prevention also appears to sometimes prevent authentication for images
// because browser may have multiple connections open and load an image on a connection
// whose session wasn't updated when a previous redirect authenticated
// Leaving commented in case looping reappears
//return;
}
if ((! $contact_nick) || ($contact_nick === $a->user['nickname'])) {
return;
}
if (local_user()) {
// We need to find out if $contact_nick is a user on this hub, and if so, if I
// am a contact of that user. However, that user may have other contacts with the
// same nickname as me on other hubs or other networks. Exclude these by requiring
// that the contact have a local URL. I will be the only person with my nickname at
// this URL, so if a result is found, then I am a contact of the $contact_nick user.
//
// We also have to make sure that I'm a legitimate contact--I'm not blocked or pending.
$baseurl = System::baseUrl();
$domain_st = strpos($baseurl, "://");
if ($domain_st === false) {
return;
}
$baseurl = substr($baseurl, $domain_st + 3);
$nurl = Strings::normaliseLink($baseurl);
$r = User::getByNickname($contact_nick, ["uid"]);
$contact_uid = $r["uid"];
/// @todo Why is there a query for "url" *and* "nurl"? Especially this normalising is strange.
$r = q("SELECT `id` FROM `contact` WHERE `uid` = (SELECT `uid` FROM `user` WHERE `nickname` = '%s' LIMIT 1)
AND `nick` = '%s' AND NOT `self` AND (`url` LIKE '%%%s%%' OR `nurl` LIKE '%%%s%%') AND NOT `blocked` AND NOT `pending` LIMIT 1",
DBA::escape($contact_nick),
DBA::escape($a->user['nickname']),
DBA::escape($baseurl),
DBA::escape($nurl)
);
if ((! DBA::isResult($r))) {
return;
}
// test if redirect authentication already succeeded
// Note that "contact" in the sense used in the $contact_nick argument to this function
// and the sense in the $remote[]["cid"] in the session are opposite.
// In the session variable the user currently fetching is the contact
// while $contact_nick is the nick of tho user who owns the stuff being fetched.
foreach (Session::get('remote', []) as $visitor) {
if ($visitor['uid'] == $contact_uid && $visitor['cid'] == $r[0]['id']) {
return;
}
}
$r = q("SELECT * FROM contact WHERE nick = '%s'
AND network = '%s' AND uid = %d AND url LIKE '%%%s%%' LIMIT 1",
DBA::escape($contact_nick),
DBA::escape(Protocol::DFRN),
intval(local_user()),
DBA::escape($baseurl)
);
if (! DBA::isResult($r)) {
return;
}
$cid = $r[0]['id'];
$dfrn_id = (($r[0]['issued-id']) ? $r[0]['issued-id'] : $r[0]['dfrn-id']);
if ($r[0]['duplex'] && $r[0]['issued-id']) {
$orig_id = $r[0]['issued-id'];
$dfrn_id = '1:' . $orig_id;
}
if ($r[0]['duplex'] && $r[0]['dfrn-id']) {
$orig_id = $r[0]['dfrn-id'];
$dfrn_id = '0:' . $orig_id;
}
// ensure that we've got a valid ID. There may be some edge cases with forums and non-duplex mode
// that may have triggered some of the "went to {profile/intro} and got an RSS feed" issues
if (strlen($dfrn_id) < 3) {
return;
}
$sec = Strings::getRandomHex();
DBA::insert('profile_check', ['uid' => local_user(), 'cid' => $cid, 'dfrn_id' => $dfrn_id, 'sec' => $sec, 'expire' => time() + 45]);
$url = curPageURL();
Logger::log('auto_redir: ' . $r[0]['name'] . ' ' . $sec, Logger::DEBUG);
$dest = (($url) ? '&destination_url=' . $url : '');
System::externalRedirect($r[0]['poll'] . '?dfrn_id=' . $dfrn_id
. '&dfrn_version=' . DFRN_PROTOCOL_VERSION . '&type=profile&sec=' . $sec . $dest);
}
return;
}
/**
* @brief Returns the activity verb
*

2
src/Protocol/Diaspora.php
View file

@ -1608,7 +1608,7 @@ class Diaspora
}
if (self::isRedmatrix($contact["url"])) {
return $contact["url"] . "/?f=&mid=" . $guid;
return $contact["url"] . "/?mid=" . $guid;
}
if ($parent_guid != '') {

82
src/Util/Security.php
View file

@ -10,6 +10,7 @@ use Friendica\Database\DBA;
use Friendica\Model\Contact;
use Friendica\Model\Group;
use Friendica\Model\User;
use Friendica\Core\Session;
/**
* Secures that User is allow to do requests
@ -20,7 +21,7 @@ class Security extends BaseObject
{
static $verified = 0;
if (!local_user() && !remote_user()) {
if (!Session::isAuthenticated()) {
return false;
}
@ -33,7 +34,7 @@ class Security extends BaseObject
return true;
}
if (remote_user($owner)) {
if (!empty(Session::getRemoteContactID($owner))) {
// use remembered decision and avoid a DB lookup for each and every display item
// DO NOT use this function if there are going to be multiple owners
// We have a contact-id for an authenticated remote user, this block determines if the contact
@ -44,14 +45,14 @@ class Security extends BaseObject
} elseif ($verified === 1) {
return false;
} else {
$cid = remote_user($owner);
$cid = Session::getRemoteContactID($owner);
if (!$cid) {
return false;
}
$r = q("SELECT `contact`.*, `user`.`page-flags` FROM `contact` INNER JOIN `user` on `user`.`uid` = `contact`.`uid`
WHERE `contact`.`uid` = %d AND `contact`.`id` = %d AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0
AND `user`.`blockwall` = 0 AND `readonly` = 0 AND ( `contact`.`rel` IN ( %d , %d ) OR `user`.`page-flags` = %d ) LIMIT 1",
AND `user`.`blockwall` = 0 AND `readonly` = 0 AND (`contact`.`rel` IN (%d , %d) OR `user`.`page-flags` = %d) LIMIT 1",
intval($owner),
intval($cid),
intval(Contact::SHARING),
@ -71,11 +72,10 @@ class Security extends BaseObject
return false;
}
/// @TODO $groups should be array
public static function getPermissionsSQLByUserId($owner_id, $remote_verified = false, $groups = null)
public static function getPermissionsSQLByUserId($owner_id)
{
$local_user = local_user();
$remote_user = remote_user();
$remote_contact = Session::getRemoteContactID($owner_id);
/*
* Construct permissions
@ -83,10 +83,9 @@ class Security extends BaseObject
* default permissions - anonymous user
*/
$sql = " AND allow_cid = ''
AND allow_gid = ''
AND deny_cid = ''
AND deny_gid = ''
";
AND allow_gid = ''
AND deny_cid = ''
AND deny_gid = '' ";
/*
* Profile owner - everything is visible
@ -94,59 +93,28 @@ class Security extends BaseObject
if ($local_user && $local_user == $owner_id) {
$sql = '';
/*
* Authenticated visitor. Unless pre-verified,
* check that the contact belongs to this $owner_id
* and load the groups the visitor belongs to.
* If pre-verified, the caller is expected to have already
* done this and passed the groups into this function.
* Authenticated visitor. Load the groups the visitor belongs to.
*/
} elseif ($remote_user) {
/*
* Authenticated visitor. Unless pre-verified,
* check that the contact belongs to this $owner_id
* and load the groups the visitor belongs to.
* If pre-verified, the caller is expected to have already
* done this and passed the groups into this function.
*/
} elseif ($remote_contact) {
$gs = '<<>>'; // should be impossible to match
if (!$remote_verified) {
$cid = 0;
$groups = Group::getIdsByContactId($remote_contact);
foreach (\Friendica\Core\Session::get('remote', []) as $visitor) {
if ($visitor['uid'] == $owner_id) {
$cid = $visitor['cid'];
break;
}
}
if ($cid && DBA::exists('contact', ['id' => $cid, 'uid' => $owner_id, 'blocked' => false])) {
$remote_verified = true;
$groups = Group::getIdsByContactId($cid);
if (is_array($groups)) {
foreach ($groups as $g) {
$gs .= '|<' . intval($g) . '>';
}
}
if ($remote_verified) {
$gs = '<<>>'; // should be impossible to match
if (is_array($groups)) {
foreach ($groups as $g) {
$gs .= '|<' . intval($g) . '>';
}
}
$sql = sprintf(
" AND ( NOT (deny_cid REGEXP '<%d>' OR deny_gid REGEXP '%s')
AND ( allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
)
",
intval($cid),
DBA::escape($gs),
intval($cid),
DBA::escape($gs)
);
}
$sql = sprintf(
" AND (NOT (deny_cid REGEXP '<%d>' OR deny_gid REGEXP '%s')
AND (allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s' OR (allow_cid = '' AND allow_gid = ''))) ",
intval($remote_contact),
DBA::escape($gs),
intval($remote_contact),
DBA::escape($gs)
);
}
return $sql;
}
}