Merge pull request #4277 from annando/item-permissions
Ensure that the user id in a thread always stays the same
This commit is contained in:
commit
8c47df474d
1 changed files with 12 additions and 22 deletions
34
mod/item.php
34
mod/item.php
|
@ -34,7 +34,7 @@ require_once 'include/text.php';
|
||||||
require_once 'include/items.php';
|
require_once 'include/items.php';
|
||||||
|
|
||||||
function item_post(App $a) {
|
function item_post(App $a) {
|
||||||
if (!local_user() && !remote_user() && !x($_REQUEST, 'commenter')) {
|
if (!local_user() && !remote_user()) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -84,6 +84,7 @@ function item_post(App $a) {
|
||||||
$parid = 0;
|
$parid = 0;
|
||||||
$r = false;
|
$r = false;
|
||||||
$objecttype = null;
|
$objecttype = null;
|
||||||
|
$parent_user = null;
|
||||||
|
|
||||||
if ($parent || $parent_uri) {
|
if ($parent || $parent_uri) {
|
||||||
|
|
||||||
|
@ -125,6 +126,7 @@ function item_post(App $a) {
|
||||||
$parent_item = $r[0];
|
$parent_item = $r[0];
|
||||||
$parent = $parent_item['id'];
|
$parent = $parent_item['id'];
|
||||||
$parent_uri = $parent_item['uri'];
|
$parent_uri = $parent_item['uri'];
|
||||||
|
$parent_user = $parent_item['uid'];
|
||||||
|
|
||||||
if ($parent_item['contact-id']) {
|
if ($parent_item['contact-id']) {
|
||||||
$r = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1",
|
$r = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1",
|
||||||
|
@ -171,6 +173,11 @@ function item_post(App $a) {
|
||||||
$extid = (x($_REQUEST, 'extid') ? strip_tags($_REQUEST['extid']) : '');
|
$extid = (x($_REQUEST, 'extid') ? strip_tags($_REQUEST['extid']) : '');
|
||||||
$object = (x($_REQUEST, 'object') ? $_REQUEST['object'] : '');
|
$object = (x($_REQUEST, 'object') ? $_REQUEST['object'] : '');
|
||||||
|
|
||||||
|
// Ensure that the user id in a thread always stay the same
|
||||||
|
if (!is_null($parent_user) && in_array($parent_user, [local_user(), 0])) {
|
||||||
|
$profile_uid = $parent_user;
|
||||||
|
}
|
||||||
|
|
||||||
// Check for multiple posts with the same message id (when the post was created via API)
|
// Check for multiple posts with the same message id (when the post was created via API)
|
||||||
if (($message_id != '') && ($profile_uid != 0)) {
|
if (($message_id != '') && ($profile_uid != 0)) {
|
||||||
$r = q("SELECT * FROM `item` WHERE `uri` = '%s' AND `uid` = %d LIMIT 1",
|
$r = q("SELECT * FROM `item` WHERE `uri` = '%s' AND `uid` = %d LIMIT 1",
|
||||||
|
@ -184,28 +191,11 @@ function item_post(App $a) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$allow_moderated = false;
|
|
||||||
|
|
||||||
// here is where we are going to check for permission to post a moderated comment.
|
|
||||||
|
|
||||||
// First check that the parent exists and it is a wall item.
|
|
||||||
|
|
||||||
if (x($_REQUEST, 'commenter') && (!$parent || !$parent_item['wall'])) {
|
|
||||||
notice(t('Permission denied.') . EOL) ;
|
|
||||||
if (x($_REQUEST, 'return')) {
|
|
||||||
goaway($return_path);
|
|
||||||
}
|
|
||||||
killme();
|
|
||||||
}
|
|
||||||
|
|
||||||
// Allow commenting if it is an answer to a public post
|
// Allow commenting if it is an answer to a public post
|
||||||
$allow_comment = ($profile_uid == 0) && $parent && in_array($parent_item['network'], [NETWORK_OSTATUS, NETWORK_DIASPORA, NETWORK_DFRN]);
|
$allow_comment = local_user() && ($profile_uid == 0) && $parent && in_array($parent_item['network'], [NETWORK_OSTATUS, NETWORK_DIASPORA, NETWORK_DFRN]);
|
||||||
|
|
||||||
/*
|
// Now check that valid personal details have been provided
|
||||||
* Now check that it is a page_type of PAGE_BLOG, and that valid personal details
|
if (!can_write_wall($profile_uid) && !$allow_comment) {
|
||||||
* have been provided, and run any anti-spam plugins
|
|
||||||
*/
|
|
||||||
if (!(can_write_wall($profile_uid) || $allow_comment) && !$allow_moderated) {
|
|
||||||
notice(t('Permission denied.') . EOL) ;
|
notice(t('Permission denied.') . EOL) ;
|
||||||
if (x($_REQUEST, 'return')) {
|
if (x($_REQUEST, 'return')) {
|
||||||
goaway($return_path);
|
goaway($return_path);
|
||||||
|
@ -734,7 +724,7 @@ function item_post(App $a) {
|
||||||
$datarray['parent-uri'] = $parent_uri;
|
$datarray['parent-uri'] = $parent_uri;
|
||||||
$datarray['postopts'] = $postopts;
|
$datarray['postopts'] = $postopts;
|
||||||
$datarray['origin'] = $origin;
|
$datarray['origin'] = $origin;
|
||||||
$datarray['moderated'] = $allow_moderated;
|
$datarray['moderated'] = false;
|
||||||
$datarray['gcontact-id'] = GContact::getId(["url" => $datarray['author-link'], "network" => $datarray['network'],
|
$datarray['gcontact-id'] = GContact::getId(["url" => $datarray['author-link'], "network" => $datarray['network'],
|
||||||
"photo" => $datarray['author-avatar'], "name" => $datarray['author-name']]);
|
"photo" => $datarray['author-avatar'], "name" => $datarray['author-name']]);
|
||||||
$datarray['object'] = $object;
|
$datarray['object'] = $object;
|
||||||
|
|
Loading…
Reference in a new issue