From 37376fa71553fcadd00206a963356511789ce70b Mon Sep 17 00:00:00 2001 From: Michael Date: Sun, 8 Mar 2020 13:16:59 +0000 Subject: [PATCH] Issue 8371: Improvements for picture permissions --- database.sql | 3 ++- mod/settings.php | 7 +++++ src/Model/Photo.php | 27 ++++++++++++++----- src/Module/Photo.php | 4 +-- src/Util/Security.php | 21 ++++++++++++--- static/dbstructure.config.php | 3 ++- view/templates/settings/settings.tpl | 2 ++ .../frio/templates/settings/settings.tpl | 2 ++ 8 files changed, 54 insertions(+), 15 deletions(-) diff --git a/database.sql b/database.sql index b4c65fb89..f33f89211 100644 --- a/database.sql +++ b/database.sql @@ -1,6 +1,6 @@ -- ------------------------------------------ -- Friendica 2020.03-dev (Dalmatian Bellflower) --- DB_UPDATE_VERSION 1336 +-- DB_UPDATE_VERSION 1337 -- ------------------------------------------ @@ -948,6 +948,7 @@ CREATE TABLE IF NOT EXISTS `photo` ( `allow_gid` mediumtext COMMENT 'Access Control - list of allowed groups', `deny_cid` mediumtext COMMENT 'Access Control - list of denied contact.id', `deny_gid` mediumtext COMMENT 'Access Control - list of denied groups', + `accessible` boolean NOT NULL DEFAULT '0' COMMENT 'Make photo publicly accessible, ignoring permissions', `backend-class` tinytext COMMENT 'Storage backend class', `backend-ref` text COMMENT 'Storage backend data reference', `updated` datetime NOT NULL DEFAULT '0001-01-01 00:00:00' COMMENT '', diff --git a/mod/settings.php b/mod/settings.php index 9a73b83e6..79bf16d78 100644 --- a/mod/settings.php +++ b/mod/settings.php @@ -319,6 +319,7 @@ function settings_post(App $a) $hide_friends = (($_POST['hide-friends'] == 1) ? 1: 0); $hidewall = (($_POST['hidewall'] == 1) ? 1: 0); $unlisted = (($_POST['unlisted'] == 1) ? 1: 0); + $accessiblephotos = (($_POST['accessible-photos'] == 1) ? 1: 0); $email_textonly = (($_POST['email_textonly'] == 1) ? 1 : 0); $detailed_notif = (($_POST['detailed_notif'] == 1) ? 1 : 0); @@ -417,6 +418,7 @@ function settings_post(App $a) DI::pConfig()->set(local_user(), 'system', 'email_textonly', $email_textonly); DI::pConfig()->set(local_user(), 'system', 'detailed_notif', $detailed_notif); DI::pConfig()->set(local_user(), 'system', 'unlisted', $unlisted); + DI::pConfig()->set(local_user(), 'system', 'accessible-photos', $accessiblephotos); if ($page_flags == User::PAGE_FLAGS_PRVGROUP) { $hidewall = 1; @@ -843,6 +845,10 @@ function settings_content(App $a) '$field' => ['unlisted', DI::l10n()->t('Make public posts unlisted'), DI::pConfig()->get(local_user(), 'system', 'unlisted'), DI::l10n()->t('Your public posts will not appear on the community pages or in search results, nor be sent to relay servers. However they can still appear on public feeds on remote servers.')], ]); + $accessiblephotos = Renderer::replaceMacros($opt_tpl, [ + '$field' => ['accessible-photos', DI::l10n()->t('Make all posted pictures accessible'), DI::pConfig()->get(local_user(), 'system', 'accessible-photos'), DI::l10n()->t("This option makes every posted picture accessible via the direct link. This is a workaround for the problem that most other networks can't handle permissions on pictures. Non public pictures still won't be visible for the public on your photo albums though.")], + ]); + $blockwall = Renderer::replaceMacros($opt_tpl, [ '$field' => ['blockwall', DI::l10n()->t('Allow friends to post to your profile page?'), (intval($a->user['blockwall']) ? '0' : '1'), DI::l10n()->t('Your contacts may write posts on your profile wall. These posts will be distributed to your contacts')], ]); @@ -957,6 +963,7 @@ function settings_content(App $a) '$hide_friends' => $hide_friends, '$hide_wall' => $hide_wall, '$unlisted' => $unlisted, + '$accessiblephotos' => $accessiblephotos, '$unkmail' => $unkmail, '$cntunkmail' => ['cntunkmail', DI::l10n()->t('Maximum private messages per day from unknown people:'), $cntunkmail , DI::l10n()->t("\x28to prevent spam abuse\x29")], diff --git a/src/Model/Photo.php b/src/Model/Photo.php index ccb0f2add..301231f6b 100644 --- a/src/Model/Photo.php +++ b/src/Model/Photo.php @@ -141,7 +141,7 @@ class Photo * @return boolean|array * @throws \Exception */ - public static function getPhoto($resourceid, $scale = 0) + public static function getPhoto(string $resourceid, int $scale = 0) { $r = self::selectFirst(["uid"], ["resource-id" => $resourceid]); if (!DBA::isResult($r)) { @@ -150,7 +150,9 @@ class Photo $uid = $r["uid"]; - $sql_acl = Security::getPermissionsSQLByUserId($uid); + $accessible = $uid ? DI::pConfig()->get($uid, 'system', 'accessible-photos') : false; + + $sql_acl = Security::getPermissionsSQLByUserId($uid, $accessible); $conditions = ["`resource-id` = ? AND `scale` <= ? " . $sql_acl, $resourceid, $scale]; $params = ["order" => ["scale" => true]]; @@ -656,18 +658,29 @@ class Photo // Ensure to only modify photos that you own $srch = '<' . intval($original_contact_id) . '>'; - $condition = [ - 'allow_cid' => $srch, 'allow_gid' => '', 'deny_cid' => '', 'deny_gid' => '', - 'resource-id' => $image_rid, 'uid' => $uid - ]; + $condition = ["(`allow_cid` = ? OR `allow_cid` IS NULL) AND + (`allow_gid` = ? OR `allow_gid` IS NULL) AND + (`deny_cid` = ? OR `deny_cid` IS NULL) AND + (`deny_gid` = ? OR `deny_gid` IS NULL) AND + `resource-id` = ? AND `uid` =?", $srch, '', '', '', $image_rid, $uid]; if (!Photo::exists($condition)) { continue; } - /// @todo Check if $str_contact_allow does contain a public forum. Then set the permissions to public. + /** + * @todo Existing permissions need to be mixed with the new ones. + * Otherwise this creates problems with sharing the same picture multiple times + * Also check if $str_contact_allow does contain a public forum. + * Then set the permissions to public. + */ $fields = ['allow_cid' => $str_contact_allow, 'allow_gid' => $str_group_allow, 'deny_cid' => $str_contact_deny, 'deny_gid' => $str_group_deny]; + + if (DI::pConfig()->get($uid, 'system', 'accessible-photos')) { + $fields['accessible'] = true; + } + $condition = ['resource-id' => $image_rid, 'uid' => $uid]; Logger::info('Set permissions', ['condition' => $condition, 'permissions' => $fields]); Photo::update($fields, $condition); diff --git a/src/Module/Photo.php b/src/Module/Photo.php index 2cb29af5f..826d86bdd 100644 --- a/src/Module/Photo.php +++ b/src/Module/Photo.php @@ -84,13 +84,13 @@ class Photo extends BaseModule } $photo = MPhoto::getPhoto($photoid, $scale); if ($photo === false) { - $photo = MPhoto::createPhotoForSystemResource("images/nosign.jpg"); + throw new \Friendica\Network\HTTPException\NotFoundException(DI::l10n()->t('The Photo with id %s is not available.', $photoid)); } break; } if ($photo === false) { - System::httpExit('404', 'Not Found'); + throw new \Friendica\Network\HTTPException\NotFoundException(); } $cacheable = ($photo["allow_cid"] . $photo["allow_gid"] . $photo["deny_cid"] . $photo["deny_gid"] === "") && (isset($photo["cacheable"]) ? $photo["cacheable"] : true); diff --git a/src/Util/Security.php b/src/Util/Security.php index 929853c2f..423338216 100644 --- a/src/Util/Security.php +++ b/src/Util/Security.php @@ -87,20 +87,32 @@ class Security return false; } - public static function getPermissionsSQLByUserId($owner_id) + /** + * Create a permission string for an element based on the visitor + * + * @param integer $owner_id User ID of the owner of the element + * @param boolean $accessible Should the element be accessible anyway? + * @return string SQL permissions + */ + public static function getPermissionsSQLByUserId(int $owner_id, bool $accessible = false) { $local_user = local_user(); $remote_contact = Session::getRemoteContactID($owner_id); + $acc_sql = ''; + + if ($accessible) { + $acc_sql = ' OR `accessible`'; + } /* * Construct permissions * * default permissions - anonymous user */ - $sql = " AND allow_cid = '' + $sql = " AND (allow_cid = '' AND allow_gid = '' AND deny_cid = '' - AND deny_gid = '' "; + AND deny_gid = ''" . $acc_sql . ") "; /* * Profile owner - everything is visible @@ -123,7 +135,8 @@ class Security $sql = sprintf( " AND (NOT (deny_cid REGEXP '<%d>' OR deny_gid REGEXP '%s') - AND (allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s' OR (allow_cid = '' AND allow_gid = ''))) ", + AND (allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s' + OR (allow_cid = '' AND allow_gid = ''))" . $acc_sql . ") ", intval($remote_contact), DBA::escape($gs), intval($remote_contact), diff --git a/static/dbstructure.config.php b/static/dbstructure.config.php index 8cd01b4ae..cfbee73fb 100755 --- a/static/dbstructure.config.php +++ b/static/dbstructure.config.php @@ -51,7 +51,7 @@ use Friendica\Database\DBA; if (!defined('DB_UPDATE_VERSION')) { - define('DB_UPDATE_VERSION', 1336); + define('DB_UPDATE_VERSION', 1337); } return [ @@ -1051,6 +1051,7 @@ return [ "allow_gid" => ["type" => "mediumtext", "comment" => "Access Control - list of allowed groups"], "deny_cid" => ["type" => "mediumtext", "comment" => "Access Control - list of denied contact.id"], "deny_gid" => ["type" => "mediumtext", "comment" => "Access Control - list of denied groups"], + "accessible" => ["type" => "boolean", "not null" => "1", "default" => "0", "comment" => "Make photo publicly accessible, ignoring permissions"], "backend-class" => ["type" => "tinytext", "comment" => "Storage backend class"], "backend-ref" => ["type" => "text", "comment" => "Storage backend data reference"], "updated" => ["type" => "datetime", "not null" => "1", "default" => DBA::NULL_DATETIME, "comment" => ""] diff --git a/view/templates/settings/settings.tpl b/view/templates/settings/settings.tpl index f8b199180..fd0de22da 100644 --- a/view/templates/settings/settings.tpl +++ b/view/templates/settings/settings.tpl @@ -55,6 +55,8 @@ {{$unlisted nofilter}} +{{$accessiblephotos nofilter}} + {{$blockwall nofilter}} {{$blocktags nofilter}} diff --git a/view/theme/frio/templates/settings/settings.tpl b/view/theme/frio/templates/settings/settings.tpl index dc9c27b89..11e697b30 100644 --- a/view/theme/frio/templates/settings/settings.tpl +++ b/view/theme/frio/templates/settings/settings.tpl @@ -91,6 +91,8 @@ {{$unlisted nofilter}} + {{$accessiblephotos nofilter}} + {{$blockwall nofilter}} {{$blocktags nofilter}}