1
0
Fork 0

Merge pull request #4277 from annando/item-permissions

Ensure that the user id in a thread always stays the same
This commit is contained in:
Hypolite Petovan 2018-01-19 08:18:37 -05:00 committed by GitHub
commit 8c47df474d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -34,7 +34,7 @@ require_once 'include/text.php';
require_once 'include/items.php'; require_once 'include/items.php';
function item_post(App $a) { function item_post(App $a) {
if (!local_user() && !remote_user() && !x($_REQUEST, 'commenter')) { if (!local_user() && !remote_user()) {
return; return;
} }
@ -84,6 +84,7 @@ function item_post(App $a) {
$parid = 0; $parid = 0;
$r = false; $r = false;
$objecttype = null; $objecttype = null;
$parent_user = null;
if ($parent || $parent_uri) { if ($parent || $parent_uri) {
@ -125,6 +126,7 @@ function item_post(App $a) {
$parent_item = $r[0]; $parent_item = $r[0];
$parent = $parent_item['id']; $parent = $parent_item['id'];
$parent_uri = $parent_item['uri']; $parent_uri = $parent_item['uri'];
$parent_user = $parent_item['uid'];
if ($parent_item['contact-id']) { if ($parent_item['contact-id']) {
$r = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1", $r = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1",
@ -171,6 +173,11 @@ function item_post(App $a) {
$extid = (x($_REQUEST, 'extid') ? strip_tags($_REQUEST['extid']) : ''); $extid = (x($_REQUEST, 'extid') ? strip_tags($_REQUEST['extid']) : '');
$object = (x($_REQUEST, 'object') ? $_REQUEST['object'] : ''); $object = (x($_REQUEST, 'object') ? $_REQUEST['object'] : '');
// Ensure that the user id in a thread always stay the same
if (!is_null($parent_user) && in_array($parent_user, [local_user(), 0])) {
$profile_uid = $parent_user;
}
// Check for multiple posts with the same message id (when the post was created via API) // Check for multiple posts with the same message id (when the post was created via API)
if (($message_id != '') && ($profile_uid != 0)) { if (($message_id != '') && ($profile_uid != 0)) {
$r = q("SELECT * FROM `item` WHERE `uri` = '%s' AND `uid` = %d LIMIT 1", $r = q("SELECT * FROM `item` WHERE `uri` = '%s' AND `uid` = %d LIMIT 1",
@ -184,28 +191,11 @@ function item_post(App $a) {
} }
} }
$allow_moderated = false;
// here is where we are going to check for permission to post a moderated comment.
// First check that the parent exists and it is a wall item.
if (x($_REQUEST, 'commenter') && (!$parent || !$parent_item['wall'])) {
notice(t('Permission denied.') . EOL) ;
if (x($_REQUEST, 'return')) {
goaway($return_path);
}
killme();
}
// Allow commenting if it is an answer to a public post // Allow commenting if it is an answer to a public post
$allow_comment = ($profile_uid == 0) && $parent && in_array($parent_item['network'], [NETWORK_OSTATUS, NETWORK_DIASPORA, NETWORK_DFRN]); $allow_comment = local_user() && ($profile_uid == 0) && $parent && in_array($parent_item['network'], [NETWORK_OSTATUS, NETWORK_DIASPORA, NETWORK_DFRN]);
/* // Now check that valid personal details have been provided
* Now check that it is a page_type of PAGE_BLOG, and that valid personal details if (!can_write_wall($profile_uid) && !$allow_comment) {
* have been provided, and run any anti-spam plugins
*/
if (!(can_write_wall($profile_uid) || $allow_comment) && !$allow_moderated) {
notice(t('Permission denied.') . EOL) ; notice(t('Permission denied.') . EOL) ;
if (x($_REQUEST, 'return')) { if (x($_REQUEST, 'return')) {
goaway($return_path); goaway($return_path);
@ -734,7 +724,7 @@ function item_post(App $a) {
$datarray['parent-uri'] = $parent_uri; $datarray['parent-uri'] = $parent_uri;
$datarray['postopts'] = $postopts; $datarray['postopts'] = $postopts;
$datarray['origin'] = $origin; $datarray['origin'] = $origin;
$datarray['moderated'] = $allow_moderated; $datarray['moderated'] = false;
$datarray['gcontact-id'] = GContact::getId(["url" => $datarray['author-link'], "network" => $datarray['network'], $datarray['gcontact-id'] = GContact::getId(["url" => $datarray['author-link'], "network" => $datarray['network'],
"photo" => $datarray['author-avatar'], "name" => $datarray['author-name']]); "photo" => $datarray['author-avatar'], "name" => $datarray['author-name']]);
$datarray['object'] = $object; $datarray['object'] = $object;