bitPickups/friendica_2020-09-1_sharedHosting
1
0
Fork 0
Code Pull requests Activity

Merge pull request #5946 from JonnyTischbein/move_include_security

Browse source 
Move and Split include/security
This commit is contained in:
Hypolite Petovan 2018-10-19 08:55:08 -04:00 committed by GitHub
commit ec0d3a6eac
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
40 changed files with 625 additions and 591 deletions
Download patch file Download diff file Expand all files Collapse all files

53
mod/admin.php
View file

@ -6,6 +6,7 @@
*/
use Friendica\App;
use Friendica\BaseModule;
use Friendica\Content\Feature;
use Friendica\Content\Text\Markdown;
use Friendica\Core\Addon;
@ -314,7 +315,7 @@ function admin_page_tos(App $a)
'$preview' => L10n::t('Privacy Statement Preview'),
'$privtext' => $tos->privacy_complete,
'$tostext' => ['tostext', L10n::t('The Terms of Service'), Config::get('system', 'tostext'), L10n::t('Enter the Terms of Service for your node here. You can use BBCode. Headers of sections should be [h2] and below.')],
'$form_security_token' => get_form_security_token("admin_tos"),
'$form_security_token' => BaseModule::getFormSecurityToken("admin_tos"),
'$submit' => L10n::t('Save Settings'),
]);
}
@ -325,7 +326,7 @@ function admin_page_tos(App $a)
*/
function admin_page_tos_post(App $a)
{
check_form_security_token_redirectOnErr('/admin/tos', 'admin_tos');
BaseModule::checkFormSecurityTokenRedirectOnError('/admin/tos', 'admin_tos');
if (!x($_POST, "page_tos")) {
return;
@ -385,7 +386,7 @@ function admin_page_blocklist(App $a)
'$entries' => $blocklistform,
'$baseurl' => System::baseUrl(true),
'$confirm_delete' => L10n::t('Delete entry from blocklist?'),
'$form_security_token' => get_form_security_token("admin_blocklist")
'$form_security_token' => BaseModule::getFormSecurityToken("admin_blocklist")
]);
}
@ -400,7 +401,7 @@ function admin_page_blocklist_post(App $a)
return;
}
check_form_security_token_redirectOnErr('/admin/blocklist', 'admin_blocklist');
BaseModule::checkFormSecurityTokenRedirectOnError('/admin/blocklist', 'admin_blocklist');
if (x($_POST['page_blocklist_save'])) {
// Add new item to blocklist
@ -443,7 +444,7 @@ function admin_page_contactblock_post(App $a)
$contact_url = x($_POST, 'contact_url') ? $_POST['contact_url'] : '';
$contacts = x($_POST, 'contacts') ? $_POST['contacts'] : [];
check_form_security_token_redirectOnErr('/admin/contactblock', 'admin_contactblock');
BaseModule::checkFormSecurityTokenRedirectOnError('/admin/contactblock', 'admin_contactblock');
if (x($_POST, 'page_contactblock_block')) {
$contact_id = Contact::getIdForURL($contact_url);
@ -500,7 +501,7 @@ function admin_page_contactblock(App $a)
'$h_newblock' => L10n::t('Block New Remote Contact'),
'$th_contacts' => [L10n::t('Photo'), L10n::t('Name'), L10n::t('Address'), L10n::t('Profile URL')],
'$form_security_token' => get_form_security_token("admin_contactblock"),
'$form_security_token' => BaseModule::getFormSecurityToken("admin_contactblock"),
// values //
'$baseurl' => System::baseUrl(true),
@ -535,7 +536,7 @@ function admin_page_deleteitem(App $a)
'$intro2' => L10n::t('You need to know the GUID of the item. You can find it e.g. by looking at the display URL. The last part of http://example.com/display/123456 is the GUID, here 123456.'),
'$deleteitemguid' => ['deleteitemguid', L10n::t("GUID"), '', L10n::t("The GUID of the item you want to delete."), 'required', 'autofocus'],
'$baseurl' => System::baseUrl(),
'$form_security_token' => get_form_security_token("admin_deleteitem")
'$form_security_token' => BaseModule::getFormSecurityToken("admin_deleteitem")
]);
}
@ -553,7 +554,7 @@ function admin_page_deleteitem_post(App $a)
return;
}
check_form_security_token_redirectOnErr('/admin/deleteitem/', 'admin_deleteitem');
BaseModule::checkFormSecurityTokenRedirectOnError('/admin/deleteitem/', 'admin_deleteitem');
if (x($_POST['page_deleteitem_submit'])) {
$guid = trim(notags($_POST['deleteitemguid']));
@ -945,7 +946,7 @@ function admin_page_summary(App $a)
*/
function admin_page_site_post(App $a)
{
check_form_security_token_redirectOnErr('/admin/site', 'admin_site');
BaseModule::checkFormSecurityTokenRedirectOnError('/admin/site', 'admin_site');
if (!empty($_POST['republish_directory'])) {
Worker::add(PRIORITY_LOW, 'Directory');
@ -1541,7 +1542,7 @@ function admin_page_site(App $a)
'$relay_server_tags' => ['relay_server_tags', L10n::t("Server tags"), Config::get('system','relay_server_tags'), L10n::t("Comma separated list of tags for the 'tags' subscription.")],
'$relay_user_tags' => ['relay_user_tags', L10n::t("Allow user tags"), Config::get('system', 'relay_user_tags', true), L10n::t("If enabled, the tags from the saved searches will used for the 'tags' subscription in addition to the 'relay_server_tags'.")],
'$form_security_token' => get_form_security_token("admin_site"),
'$form_security_token' => BaseModule::getFormSecurityToken("admin_site"),
'$relocate_button' => L10n::t('Start Relocation'),
]);
}
@ -1656,7 +1657,7 @@ function admin_page_users_post(App $a)
$nu_email = defaults($_POST, 'new_user_email' , '');
$nu_language = Config::get('system', 'language');
check_form_security_token_redirectOnErr('/admin/users', 'admin_users');
BaseModule::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users');
if (!($nu_name === "") && !($nu_email === "") && !($nu_nickname === "")) {
try {
@ -1772,14 +1773,14 @@ function admin_page_users(App $a)
}
switch ($a->argv[2]) {
case "delete":
check_form_security_token_redirectOnErr('/admin/users', 'admin_users', 't');
BaseModule::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't');
// delete user
User::remove($uid);
notice(L10n::t("User '%s' deleted", $user['username']) . EOL);
break;
case "block":
check_form_security_token_redirectOnErr('/admin/users', 'admin_users', 't');
BaseModule::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't');
q("UPDATE `user` SET `blocked` = %d WHERE `uid` = %s",
intval(1 - $user['blocked']),
intval($uid)
@ -1926,7 +1927,7 @@ function admin_page_users(App $a)
'$confirm_delete_multi' => L10n::t('Selected users will be deleted!\n\nEverything these users had posted on this site will be permanently deleted!\n\nAre you sure?'),
'$confirm_delete' => L10n::t('The user {0} will be deleted!\n\nEverything this user has posted on this site will be permanently deleted!\n\nAre you sure?'),
'$form_security_token' => get_form_security_token("admin_users"),
'$form_security_token' => BaseModule::getFormSecurityToken("admin_users"),
// values //
'$baseurl' => System::baseUrl(true),
@ -1971,7 +1972,7 @@ function admin_page_addons(App $a)
}
if (x($_GET, "a") && $_GET['a'] == "t") {
check_form_security_token_redirectOnErr('/admin/addons', 'admin_themes', 't');
BaseModule::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_themes', 't');
// Toggle addon status
$idx = array_search($addon, $a->addons);
@ -2033,7 +2034,7 @@ function admin_page_addons(App $a)
'$screenshot' => '',
'$readme' => $readme,
'$form_security_token' => get_form_security_token("admin_themes"),
'$form_security_token' => BaseModule::getFormSecurityToken("admin_themes"),
]);
}
@ -2041,7 +2042,7 @@ function admin_page_addons(App $a)
* List addons
*/
if (x($_GET, "a") && $_GET['a'] == "r") {
check_form_security_token_redirectOnErr(System::baseUrl() . '/admin/addons', 'admin_themes', 't');
BaseModule::checkFormSecurityTokenRedirectOnError(System::baseUrl() . '/admin/addons', 'admin_themes', 't');
Addon::reload();
info("Addons reloaded");
goaway(System::baseUrl() . '/admin/addons');
@ -2084,7 +2085,7 @@ function admin_page_addons(App $a)
'$addons' => $addons,
'$pcount' => count($addons),
'$noplugshint' => L10n::t('There are currently no addons available on your node. You can find the official addon repository at %1$s and might find other interesting addons in the open addon registry at %2$s', 'https://github.com/friendica/friendica-addons', 'http://addons.friendi.ca'),
'$form_security_token' => get_form_security_token("admin_themes"),
'$form_security_token' => BaseModule::getFormSecurityToken("admin_themes"),
]);
}
@ -2219,7 +2220,7 @@ function admin_page_themes(App $a)
}
if (x($_GET, "a") && $_GET['a'] == "t") {
check_form_security_token_redirectOnErr('/admin/themes', 'admin_themes', 't');
BaseModule::checkFormSecurityTokenRedirectOnError('/admin/themes', 'admin_themes', 't');
// Toggle theme status
@ -2301,13 +2302,13 @@ function admin_page_themes(App $a)
'$screenshot' => $screenshot,
'$readme' => $readme,
'$form_security_token' => get_form_security_token("admin_themes"),
'$form_security_token' => BaseModule::getFormSecurityToken("admin_themes"),
]);
}
// reload active themes
if (x($_GET, "a") && $_GET['a'] == "r") {
check_form_security_token_redirectOnErr(System::baseUrl() . '/admin/themes', 'admin_themes', 't');
BaseModule::checkFormSecurityTokenRedirectOnError(System::baseUrl() . '/admin/themes', 'admin_themes', 't');
foreach ($themes as $th) {
if ($th['allowed']) {
Theme::uninstall($th['name']);
@ -2340,7 +2341,7 @@ function admin_page_themes(App $a)
'$noplugshint' => L10n::t('No themes found on the system. They should be placed in %1$s', '<code>/view/themes</code>'),
'$experimental' => L10n::t('[Experimental]'),
'$unsupported' => L10n::t('[Unsupported]'),
'$form_security_token' => get_form_security_token("admin_themes"),
'$form_security_token' => BaseModule::getFormSecurityToken("admin_themes"),
]);
}
@ -2352,7 +2353,7 @@ function admin_page_themes(App $a)
function admin_page_logs_post(App $a)
{
if (x($_POST, "page_logs")) {
check_form_security_token_redirectOnErr('/admin/logs', 'admin_logs');
BaseModule::checkFormSecurityTokenRedirectOnError('/admin/logs', 'admin_logs');
$logfile = ((x($_POST,'logfile')) ? notags(trim($_POST['logfile'])) : '');
$debugging = ((x($_POST,'debugging')) ? true : false);
@ -2414,7 +2415,7 @@ function admin_page_logs(App $a)
'$debugging' => ['debugging', L10n::t("Enable Debugging"), Config::get('system', 'debugging'), ""],
'$logfile' => ['logfile', L10n::t("Log file"), Config::get('system', 'logfile'), L10n::t("Must be writable by web server. Relative to your Friendica top-level directory.")],
'$loglevel' => ['loglevel', L10n::t("Log level"), Config::get('system', 'loglevel'), "", $log_choices],
'$form_security_token' => get_form_security_token("admin_logs"),
'$form_security_token' => BaseModule::getFormSecurityToken("admin_logs"),
'$phpheader' => L10n::t("PHP logging"),
'$phphint' => L10n::t("To temporarily enable logging of PHP errors and warnings you can prepend the following to the index.php file of your installation. The filename set in the 'error_log' line is relative to the friendica top-level directory and must be writeable by the web server. The option '1' for 'log_errors' and 'display_errors' is to enable these options, set to '0' to disable them."),
'$phplogcode' => "error_reporting(E_ERROR | E_WARNING | E_PARSE);\nini_set('error_log','php.out');\nini_set('log_errors','1');\nini_set('display_errors', '1');",
@ -2485,7 +2486,7 @@ function admin_page_viewlogs(App $a)
*/
function admin_page_features_post(App $a)
{
check_form_security_token_redirectOnErr('/admin/features', 'admin_manage_features');
BaseModule::checkFormSecurityTokenRedirectOnError('/admin/features', 'admin_manage_features');
logger('postvars: ' . print_r($_POST, true), LOGGER_DATA);
@ -2550,7 +2551,7 @@ function admin_page_features(App $a)
$tpl = get_markup_template('admin/settings_features.tpl');
$o = replace_macros($tpl, [
'$form_security_token' => get_form_security_token("admin_manage_features"),
'$form_security_token' => BaseModule::getFormSecurityToken("admin_manage_features"),
'$title' => L10n::t('Manage Additional Features'),
'$features' => $arr,
'$submit' => L10n::t('Save Settings'),

4
mod/attach.php
View file

@ -6,9 +6,9 @@
use Friendica\App;
use Friendica\Core\L10n;
use Friendica\Database\DBA;
use Friendica\Util\Security;
require_once 'include/dba.php';
require_once 'include/security.php';
function attach_init(App $a)
{
@ -27,7 +27,7 @@ function attach_init(App $a)
return;
}
$sql_extra = permissions_sql($r['uid']);
$sql_extra = Security::getPermissionsSQLByUserId($r['uid']);
// Now we'll see if we can access the attachment

4
mod/cal.php
View file

@ -17,10 +17,12 @@ use Friendica\Database\DBA;
use Friendica\Model\Contact;
use Friendica\Model\Event;
use Friendica\Model\Group;
use Friendica\Model\Item;
use Friendica\Model\Profile;
use Friendica\Protocol\DFRN;
use Friendica\Util\DateTimeFormat;
use Friendica\Util\Temporal;
use Friendica\Util\Security;
function cal_init(App $a)
{
@ -141,7 +143,7 @@ function cal_content(App $a)
}
// get the permissions
$sql_perms = item_permissions_sql($owner_uid, $remote_contact, $groups);
$sql_perms = Item::getPermissionsSQLByUserId($owner_uid, $remote_contact, $groups);
// we only want to have the events of the profile owner
$sql_extra = " AND `event`.`cid` = 0 " . $sql_perms;

1
mod/community.php
View file

@ -91,7 +91,6 @@ function community_content(App $a, $update = 0)
}
}
require_once 'include/security.php';
require_once 'include/conversation.php';
if (!$update) {

6
mod/delegate.php
View file

@ -4,11 +4,13 @@
*/
use Friendica\App;
use Friendica\BaseModule;
use Friendica\Core\L10n;
use Friendica\Core\Protocol;
use Friendica\Core\System;
use Friendica\Database\DBA;
use Friendica\Model\User;
use Friendica\Util\Security;
require_once 'mod/settings.php';
@ -28,7 +30,7 @@ function delegate_post(App $a)
return;
}
check_form_security_token_redirectOnErr('/delegate', 'delegate');
BaseModule::checkFormSecurityTokenRedirectOnError('/delegate', 'delegate');
$parent_uid = defaults($_POST, 'parent_user', 0);
$parent_password = defaults($_POST, 'parent_password', '');
@ -162,7 +164,7 @@ function delegate_content(App $a)
}
$o = replace_macros(get_markup_template('delegate.tpl'), [
'$form_security_token' => get_form_security_token('delegate'),
'$form_security_token' => BaseModule::getFormSecurityToken('delegate'),
'$parent_header' => L10n::t('Parent User'),
'$parent_user' => $parent_user,
'$parent_password' => $parent_password,

4
mod/display.php
View file

@ -18,6 +18,7 @@ use Friendica\Model\Item;
use Friendica\Model\Profile;
use Friendica\Protocol\DFRN;
use Friendica\Protocol\ActivityPub;
use Friendica\Util\Security;
function display_init(App $a)
{
@ -200,7 +201,6 @@ function display_content(App $a, $update = false, $update_uid = 0)
return;
}
require_once 'include/security.php';
require_once 'include/conversation.php';
$o = '';
@ -325,7 +325,7 @@ function display_content(App $a, $update = false, $update_uid = 0)
$o .= status_editor($a, $x, 0, true);
}
$sql_extra = item_permissions_sql($a->profile['uid'], $is_remote_contact, $groups);
$sql_extra = Item::getPermissionsSQLByUserId($a->profile['uid'], $is_remote_contact, $groups);
if (local_user() && (local_user() == $a->profile['uid'])) {
$condition = ['parent-uri' => $item_parent_uri, 'uid' => local_user(), 'unseen' => true];

1
mod/filer.php
View file

@ -6,7 +6,6 @@ use Friendica\App;
use Friendica\Core\L10n;
use Friendica\Core\PConfig;
require_once 'include/security.php';
require_once 'include/items.php';
function filer_content(App $a)

18
mod/group.php
View file

@ -6,6 +6,7 @@
*/
use Friendica\App;
use Friendica\BaseModule;
use Friendica\Core\Config;
use Friendica\Core\L10n;
use Friendica\Core\PConfig;
@ -13,6 +14,7 @@ use Friendica\Core\System;
use Friendica\Database\DBA;
use Friendica\Model;
use Friendica\Module;
use Friendica\Util\Security;
function group_init(App $a) {
if (local_user()) {
@ -28,7 +30,7 @@ function group_post(App $a) {
}
if (($a->argc == 2) && ($a->argv[1] === 'new')) {
check_form_security_token_redirectOnErr('/group/new', 'group_edit');
BaseModule::checkFormSecurityTokenRedirectOnError('/group/new', 'group_edit');
$name = notags(trim($_POST['groupname']));
$r = Model\Group::create(local_user(), $name);
@ -46,7 +48,7 @@ function group_post(App $a) {
}
if (($a->argc == 2) && intval($a->argv[1])) {
check_form_security_token_redirectOnErr('/group', 'group_edit');
BaseModule::checkFormSecurityTokenRedirectOnError('/group', 'group_edit');
$r = q("SELECT * FROM `group` WHERE `id` = %d AND `uid` = %d LIMIT 1",
intval($a->argv[1]),
@ -107,7 +109,7 @@ function group_content(App $a) {
'$title' => L10n::t('Create a group of contacts/friends.'),
'$gname' => ['groupname', L10n::t('Group Name: '), '', ''],
'$gid' => 'new',
'$form_security_token' => get_form_security_token("group_edit"),
'$form_security_token' => BaseModule::getFormSecurityToken("group_edit"),
]);
@ -137,7 +139,7 @@ function group_content(App $a) {
if (($a->argc == 3) && ($a->argv[1] === 'drop')) {
check_form_security_token_redirectOnErr('/group', 'group_drop', 't');
BaseModule::checkFormSecurityTokenRedirectOnError('/group', 'group_drop', 't');
if (intval($a->argv[2])) {
$r = q("SELECT `name` FROM `group` WHERE `id` = %d AND `uid` = %d LIMIT 1",
@ -162,7 +164,7 @@ function group_content(App $a) {
}
if (($a->argc > 2) && intval($a->argv[1]) && intval($a->argv[2])) {
check_form_security_token_ForbiddenOnErr('group_member_change', 't');
BaseModule::checkFormSecurityTokenForbiddenOnError('group_member_change', 't');
$r = q("SELECT `id` FROM `contact` WHERE `id` = %d AND `uid` = %d and `self` = 0 and `blocked` = 0 AND `pending` = 0 LIMIT 1",
intval($a->argv[2]),
@ -216,7 +218,7 @@ function group_content(App $a) {
$drop_txt = replace_macros($drop_tpl, [
'$id' => $group['id'],
'$delete' => L10n::t('Delete Group'),
'$form_security_token' => get_form_security_token("group_drop"),
'$form_security_token' => BaseModule::getFormSecurityToken("group_drop"),
]);
@ -225,7 +227,7 @@ function group_content(App $a) {
'$gname' => ['groupname', L10n::t('Group Name: '), $group['name'], ''],
'$gid' => $group['id'],
'$drop' => $drop_txt,
'$form_security_token' => get_form_security_token('group_edit'),
'$form_security_token' => BaseModule::getFormSecurityToken('group_edit'),
'$edit_name' => L10n::t('Edit Group Name'),
'$editable' => 1,
];
@ -244,7 +246,7 @@ function group_content(App $a) {
'contacts' => [],
];
$sec_token = addslashes(get_form_security_token('group_member_change'));
$sec_token = addslashes(BaseModule::getFormSecurityToken('group_member_change'));
// Format the data of the group members
foreach ($members as $member) {

6
mod/invite.php
View file

@ -7,6 +7,7 @@
*/
use Friendica\App;
use Friendica\BaseModule;
use Friendica\Core\Config;
use Friendica\Core\L10n;
use Friendica\Core\PConfig;
@ -14,6 +15,7 @@ use Friendica\Core\System;
use Friendica\Database\DBA;
use Friendica\Protocol\Email;
use Friendica\Util\DateTimeFormat;
use Friendica\Util\Security;
function invite_post(App $a)
{
@ -22,7 +24,7 @@ function invite_post(App $a)
return;
}
check_form_security_token_redirectOnErr('/', 'send_invite');
BaseModule::checkFormSecurityTokenRedirectOnError('/', 'send_invite');
$max_invites = intval(Config::get('system', 'max_invites'));
if (! $max_invites) {
@ -139,7 +141,7 @@ function invite_content(App $a) {
}
$o = replace_macros($tpl, [
'$form_security_token' => get_form_security_token("send_invite"),
'$form_security_token' => BaseModule::getFormSecurityToken("send_invite"),
'$title' => L10n::t('Send invitations'),
'$recipients' => ['recipients', L10n::t('Enter email addresses, one per line:')],
'$message' => ['message', L10n::t('Your message:'),L10n::t('You are cordially invited to join me and other close friends on Friendica - and help us to create a better social web.') . "\r\n" . "\r\n"

7
mod/item.php
View file

@ -32,6 +32,7 @@ use Friendica\Protocol\Diaspora;
use Friendica\Protocol\Email;
use Friendica\Util\DateTimeFormat;
use Friendica\Util\Emailer;
use Friendica\Util\Security;
require_once 'include/enotify.php';
require_once 'include/text.php';
@ -42,8 +43,6 @@ function item_post(App $a) {
return 0;
}
require_once 'include/security.php';
$uid = local_user();
if (!empty($_REQUEST['dropitems'])) {
@ -162,7 +161,7 @@ function item_post(App $a) {
$allow_comment = local_user() && ($profile_uid == 0) && $parent && in_array($parent_item['network'], [Protocol::ACTIVITYPUB, Protocol::OSTATUS, Protocol::DIASPORA, Protocol::DFRN]);
// Now check that valid personal details have been provided
if (!can_write_wall($profile_uid) && !$allow_comment) {
if (!Security::canWriteToUserWall($profile_uid) && !$allow_comment) {
notice(L10n::t('Permission denied.') . EOL) ;
if (!empty($_REQUEST['return'])) {
@ -871,8 +870,6 @@ function item_content(App $a)
return;
}
require_once 'include/security.php';
$o = '';
if (($a->argc == 3) && ($a->argv[1] === 'drop') && intval($a->argv[2])) {

1
mod/like.php
View file

@ -4,7 +4,6 @@ use Friendica\App;
use Friendica\Core\System;
use Friendica\Model\Item;
require_once 'include/security.php';
require_once 'include/items.php';
function like_content(App $a) {

4
mod/manage.php
View file

@ -3,6 +3,7 @@
* @file mod/manage.php
*/
use Friendica\App;
use Friendica\Core\Authentication;
use Friendica\Core\Addon;
use Friendica\Core\L10n;
use Friendica\Core\System;
@ -109,8 +110,7 @@ function manage_post(App $a) {
unset($_SESSION['sysmsg_info']);
}
require_once('include/security.php');
authenticate_success($r[0], true, true);
Authentication::setAuthenticatedSessionForUser($r[0], true, true);
if ($limited_id) {
$_SESSION['submanage'] = $original_id;

1
mod/notes.php
View file

@ -33,7 +33,6 @@ function notes_content(App $a, $update = false)
return;
}
require_once 'include/security.php';
require_once 'include/conversation.php';
$o = Profile::getTabs($a, true);

4
mod/openid.php
View file

@ -4,6 +4,7 @@
*/
use Friendica\App;
use Friendica\Core\Authentication;
use Friendica\Core\Config;
use Friendica\Core\L10n;
use Friendica\Core\System;
@ -50,8 +51,7 @@ function openid_content(App $a) {
unset($_SESSION['openid']);
require_once('include/security.php');
authenticate_success($r[0],true,true);
Authentication::setAuthenticatedSessionForUser($r[0],true,true);
// just in case there was no return url set
// and we fell through

5
mod/photo.php
View file

@ -6,8 +6,7 @@
use Friendica\App;
use Friendica\Database\DBA;
use Friendica\Object\Image;
require_once 'include/security.php';
use Friendica\Util\Security;
function photo_init(App $a)
{
@ -111,7 +110,7 @@ function photo_init(App $a)
intval($resolution)
);
if (DBA::isResult($r)) {
$sql_extra = permissions_sql($r[0]['uid']);
$sql_extra = Security::getPermissionsSQLByUserId($r[0]['uid']);
// Now we'll see if we can access the photo
$r = q("SELECT * FROM `photo` WHERE `resource-id` = '%s' AND `scale` <= %d $sql_extra ORDER BY scale DESC LIMIT 1",

13
mod/photos.php
View file

@ -26,9 +26,9 @@ use Friendica\Protocol\DFRN;
use Friendica\Util\DateTimeFormat;
use Friendica\Util\Map;
use Friendica\Util\Temporal;
use Friendica\Util\Security;
require_once 'include/items.php';
require_once 'include/security.php';
function photos_init(App $a) {
@ -948,7 +948,6 @@ function photos_content(App $a)
return;
}
require_once 'include/security.php';
require_once 'include/conversation.php';
if (empty($a->data['user'])) {
@ -1053,7 +1052,7 @@ function photos_content(App $a)
return;
}
$sql_extra = permissions_sql($owner_uid, $remote_contact, $groups);
$sql_extra = Security::getPermissionsSQLByUserId($owner_uid, $remote_contact, $groups);
$o = "";
@ -1473,7 +1472,7 @@ function photos_content(App $a)
$tpl = get_markup_template('photo_item.tpl');
$return_url = $a->cmd;
if ($can_post || can_write_wall($owner_uid)) {
if ($can_post || Security::canWriteToUserWall($owner_uid)) {
$like_tpl = get_markup_template('like_noshare.tpl');
$likebuttons = replace_macros($like_tpl, [
'$id' => $link_item['id'],
@ -1485,7 +1484,7 @@ function photos_content(App $a)
}
if (!DBA::isResult($items)) {
if (($can_post || can_write_wall($owner_uid))) {
if (($can_post || Security::canWriteToUserWall($owner_uid))) {
$comments .= replace_macros($cmnt_tpl, [
'$return_path' => '',
'$jsreload' => $return_url,
@ -1524,7 +1523,7 @@ function photos_content(App $a)
$dislike = format_like($conv_responses['dislike'][$link_item['uri']], $conv_responses['dislike'][$link_item['uri'] . '-l'], 'dislike', $link_item['id']);
}
if (($can_post || can_write_wall($owner_uid))) {
if (($can_post || Security::canWriteToUserWall($owner_uid))) {
$comments .= replace_macros($cmnt_tpl,[
'$return_path' => '',
'$jsreload' => $return_url,
@ -1584,7 +1583,7 @@ function photos_content(App $a)
'$comment' => $comment
]);
if (($can_post || can_write_wall($owner_uid))) {
if (($can_post || Security::canWriteToUserWall($owner_uid))) {
$comments .= replace_macros($cmnt_tpl, [
'$return_path' => '',
'$jsreload' => $return_url,

1
mod/poke.php
View file

@ -21,7 +21,6 @@ use Friendica\Core\Worker;
use Friendica\Database\DBA;
use Friendica\Model\Item;
require_once 'include/security.php';
require_once 'include/items.php';
function poke_init(App $a)

6
mod/profile.php
View file

@ -20,6 +20,7 @@ use Friendica\Model\Profile;
use Friendica\Module\Login;
use Friendica\Protocol\DFRN;
use Friendica\Util\DateTimeFormat;
use Friendica\Util\Security;
use Friendica\Protocol\ActivityPub;
function profile_init(App $a)
@ -130,7 +131,6 @@ function profile_content(App $a, $update = 0)
return Login::form();
}
require_once 'include/security.php';
require_once 'include/conversation.php';
require_once 'include/items.php';
@ -210,7 +210,7 @@ function profile_content(App $a, $update = 0)
$a->page['aside'] .= Widget::categories(System::baseUrl(true) . '/profile/' . $a->profile['nickname'], (!empty($category) ? xmlify($category) : ''));
$a->page['aside'] .= Widget::tagCloud();
if (can_write_wall($a->profile['profile_uid'])) {
if (Security::canWriteToUserWall($a->profile['profile_uid'])) {
$x = [
'is_owner' => $is_owner,
'allow_location' => ($is_owner || $commvisitor) && $a->profile['allow_location'],
@ -234,7 +234,7 @@ function profile_content(App $a, $update = 0)
// Get permissions SQL - if $remote_contact is true, our remote user has been pre-verified and we already have fetched his/her groups
$sql_extra = item_permissions_sql($a->profile['profile_uid'], $remote_contact, $groups);
$sql_extra = Item::getPermissionsSQLByUserId($a->profile['profile_uid'], $remote_contact, $groups);
$sql_extra2 = '';
if ($update) {

10
mod/profile_photo.php
View file

@ -4,6 +4,7 @@
*/
use Friendica\App;
use Friendica\BaseModule;
use Friendica\Core\Config;
use Friendica\Core\L10n;
use Friendica\Core\System;
@ -13,6 +14,7 @@ use Friendica\Model\Contact;
use Friendica\Model\Photo;
use Friendica\Model\Profile;
use Friendica\Object\Image;
use Friendica\Util\Security;
function profile_photo_init(App $a)
{
@ -30,7 +32,7 @@ function profile_photo_post(App $a)
return;
}
check_form_security_token_redirectOnErr('/profile_photo', 'profile_photo');
BaseModule::checkFormSecurityTokenRedirectOnError('/profile_photo', 'profile_photo');
if (!empty($_POST['cropfinal']) && $_POST['cropfinal'] == 1) {
@ -186,7 +188,7 @@ function profile_photo_content(App $a)
$imagecrop = [];
if (isset($a->argv[1]) && $a->argv[1] == 'use' && $a->argc >= 3) {
// check_form_security_token_redirectOnErr('/profile_photo', 'profile_photo');
// BaseModule::checkFormSecurityTokenRedirectOnError('/profile_photo', 'profile_photo');
$resource_id = $a->argv[2];
//die(":".local_user());
@ -246,7 +248,7 @@ function profile_photo_content(App $a)
'$title' => L10n::t('Upload Profile Photo'),
'$submit' => L10n::t('Upload'),
'$profiles' => $profiles,
'$form_security_token' => get_form_security_token("profile_photo"),
'$form_security_token' => BaseModule::getFormSecurityToken("profile_photo"),
'$select' => sprintf('%s %s', L10n::t('or'),
($newuser) ? '<a href="' . System::baseUrl() . '">' . L10n::t('skip this step') . '</a>' : '<a href="' . System::baseUrl() . '/photos/' . $a->user['nickname'] . '">' . L10n::t('select a photo from your photo albums') . '</a>')
]);
@ -263,7 +265,7 @@ function profile_photo_content(App $a)
'$image_url' => System::baseUrl() . '/photo/' . $filename,
'$title' => L10n::t('Crop Image'),
'$desc' => L10n::t('Please adjust the image cropping for optimum viewing.'),
'$form_security_token' => get_form_security_token("profile_photo"),
'$form_security_token' => BaseModule::getFormSecurityToken("profile_photo"),
'$done' => L10n::t('Done Editing')
]);
return $o;

19
mod/profiles.php
View file

@ -4,6 +4,7 @@
*/
use Friendica\App;
use Friendica\BaseModule;
use Friendica\Content\ContactSelector;
use Friendica\Content\Feature;
use Friendica\Content\Nav;
@ -41,7 +42,7 @@ function profiles_init(App $a) {
return; // NOTREACHED
}
check_form_security_token_redirectOnErr('/profiles', 'profile_drop', 't');
BaseModule::checkFormSecurityTokenRedirectOnError('/profiles', 'profile_drop', 't');
// move every contact using this profile as their default to the user default
@ -64,7 +65,7 @@ function profiles_init(App $a) {
if (($a->argc > 1) && ($a->argv[1] === 'new')) {
check_form_security_token_redirectOnErr('/profiles', 'profile_new', 't');
BaseModule::checkFormSecurityTokenRedirectOnError('/profiles', 'profile_new', 't');
$r0 = q("SELECT `id` FROM `profile` WHERE `uid` = %d",
intval(local_user()));
@ -100,7 +101,7 @@ function profiles_init(App $a) {
if (($a->argc > 2) && ($a->argv[1] === 'clone')) {
check_form_security_token_redirectOnErr('/profiles', 'profile_clone', 't');
BaseModule::checkFormSecurityTokenRedirectOnError('/profiles', 'profile_clone', 't');
$r0 = q("SELECT `id` FROM `profile` WHERE `uid` = %d",
intval(local_user()));
@ -195,7 +196,7 @@ function profiles_post(App $a) {
return;
}
check_form_security_token_redirectOnErr('/profiles', 'profile_edit');
BaseModule::checkFormSecurityTokenRedirectOnError('/profiles', 'profile_edit');
$is_default = (($orig[0]['is-default']) ? 1 : 0);
@ -565,10 +566,10 @@ function profiles_content(App $a) {
],
'$multi_profiles' => Feature::isEnabled(local_user(), 'multi_profiles'),
'$form_security_token' => get_form_security_token("profile_edit"),
'$form_security_token_photo' => get_form_security_token("profile_photo"),
'$profile_clone_link' => ((Feature::isEnabled(local_user(), 'multi_profiles')) ? 'profiles/clone/' . $r[0]['id'] . '?t=' . get_form_security_token("profile_clone") : ""),
'$profile_drop_link' => 'profiles/drop/' . $r[0]['id'] . '?t=' . get_form_security_token("profile_drop"),
'$form_security_token' => BaseModule::getFormSecurityToken("profile_edit"),
'$form_security_token_photo' => BaseModule::getFormSecurityToken("profile_photo"),
'$profile_clone_link' => ((Feature::isEnabled(local_user(), 'multi_profiles')) ? 'profiles/clone/' . $r[0]['id'] . '?t=' . BaseModule::getFormSecurityToken("profile_clone") : ""),
'$profile_drop_link' => 'profiles/drop/' . $r[0]['id'] . '?t=' . BaseModule::getFormSecurityToken("profile_drop"),
'$profile_action' => L10n::t('Profile Actions'),
'$banner' => L10n::t('Edit Profile Details'),
@ -681,7 +682,7 @@ function profiles_content(App $a) {
'$header' => L10n::t('Edit/Manage Profiles'),
'$chg_photo' => L10n::t('Change profile photo'),
'$cr_new' => L10n::t('Create New Profile'),
'$cr_new_link' => 'profiles/new?t=' . get_form_security_token("profile_new"),
'$cr_new_link' => 'profiles/new?t=' . BaseModule::getFormSecurityToken("profile_new"),
'$profiles' => $profiles
]);
}

5
mod/register.php
View file

@ -4,6 +4,7 @@
*/
use Friendica\App;
use Friendica\BaseModule;
use Friendica\Content\Text\BBCode;
use Friendica\Core\Addon;
use Friendica\Core\Config;
@ -18,7 +19,7 @@ require_once 'include/enotify.php';
function register_post(App $a)
{
check_form_security_token_redirectOnErr('/register', 'register');
BaseModule::checkFormSecurityTokenRedirectOnError('/register', 'register');
$verified = 0;
$blocked = 1;
@ -289,7 +290,7 @@ function register_content(App $a)
'$showprivstatement' => Config::get('system', 'tosprivstatement'),
'$privstatement' => $tos->privacy_complete,
'$baseurl' => System::baseurl(),
'$form_security_token' => get_form_security_token("register"),
'$form_security_token' => BaseModule::getFormSecurityToken("register"),
'$explicit_content' => Config::get('system', 'explicit_content', false),
'$explicit_content_note' => L10n::t('Note: This node explicitly contains adult content')
]);

1
mod/search.php
View file

@ -13,7 +13,6 @@ use Friendica\Core\System;
use Friendica\Database\DBA;
use Friendica\Model\Item;
require_once 'include/security.php';
require_once 'include/conversation.php';
require_once 'mod/dirfind.php';

34
mod/settings.php
View file

@ -4,6 +4,7 @@
*/
use Friendica\App;
use Friendica\BaseModule;
use Friendica\Content\Feature;
use Friendica\Content\Nav;
use Friendica\Core\ACL;
@ -22,6 +23,7 @@ use Friendica\Model\User;
use Friendica\Protocol\Email;
use Friendica\Util\Network;
use Friendica\Util\Temporal;
use Friendica\Util\Security;
use Friendica\Module\Login;
function get_theme_config_file($theme)
@ -154,7 +156,7 @@ function settings_post(App $a)
$old_page_flags = $a->user['page-flags'];
if (($a->argc > 1) && ($a->argv[1] === 'oauth') && x($_POST, 'remove')) {
check_form_security_token_redirectOnErr('/settings/oauth', 'settings_oauth');
BaseModule::checkFormSecurityTokenRedirectOnError('/settings/oauth', 'settings_oauth');
$key = $_POST['remove'];
DBA::delete('tokens', ['id' => $key, 'uid' => local_user()]);
@ -163,7 +165,7 @@ function settings_post(App $a)
}
if (($a->argc > 2) && ($a->argv[1] === 'oauth') && ($a->argv[2] === 'edit'||($a->argv[2] === 'add')) && x($_POST, 'submit')) {
check_form_security_token_redirectOnErr('/settings/oauth', 'settings_oauth');
BaseModule::checkFormSecurityTokenRedirectOnError('/settings/oauth', 'settings_oauth');
$name = defaults($_POST, 'name' , '');
$key = defaults($_POST, 'key' , '');
@ -209,14 +211,14 @@ function settings_post(App $a)
}
if (($a->argc > 1) && ($a->argv[1] == 'addon')) {
check_form_security_token_redirectOnErr('/settings/addon', 'settings_addon');
BaseModule::checkFormSecurityTokenRedirectOnError('/settings/addon', 'settings_addon');
Addon::callHooks('addon_settings_post', $_POST);
return;
}
if (($a->argc > 1) && ($a->argv[1] == 'connectors')) {
check_form_security_token_redirectOnErr('/settings/connectors', 'settings_connectors');
BaseModule::checkFormSecurityTokenRedirectOnError('/settings/connectors', 'settings_connectors');
if (x($_POST, 'general-submit')) {
PConfig::set(local_user(), 'system', 'disable_cw', intval($_POST['disable_cw']));
@ -298,7 +300,7 @@ function settings_post(App $a)
}
if (($a->argc > 1) && ($a->argv[1] === 'features')) {
check_form_security_token_redirectOnErr('/settings/features', 'settings_features');
BaseModule::checkFormSecurityTokenRedirectOnError('/settings/features', 'settings_features');
foreach ($_POST as $k => $v) {
if (strpos($k, 'feature_') === 0) {
PConfig::set(local_user(), 'feature', substr($k, 8), ((intval($v)) ? 1 : 0));
@ -309,7 +311,7 @@ function settings_post(App $a)
}
if (($a->argc > 1) && ($a->argv[1] === 'display')) {
check_form_security_token_redirectOnErr('/settings/display', 'settings_display');
BaseModule::checkFormSecurityTokenRedirectOnError('/settings/display', 'settings_display');
$theme = x($_POST, 'theme') ? notags(trim($_POST['theme'])) : $a->user['theme'];
$mobile_theme = x($_POST, 'mobile_theme') ? notags(trim($_POST['mobile_theme'])) : '';
@ -373,7 +375,7 @@ function settings_post(App $a)
return; // NOTREACHED
}
check_form_security_token_redirectOnErr('/settings', 'settings');
BaseModule::checkFormSecurityTokenRedirectOnError('/settings', 'settings');
if (x($_POST,'resend_relocate')) {
Worker::add(PRIORITY_HIGH, 'Notifier', 'relocate', local_user());
@ -671,7 +673,7 @@ function settings_content(App $a)
if (($a->argc > 2) && ($a->argv[2] === 'add')) {
$tpl = get_markup_template('settings/oauth_edit.tpl');
$o .= replace_macros($tpl, [
'$form_security_token' => get_form_security_token("settings_oauth"),
'$form_security_token' => BaseModule::getFormSecurityToken("settings_oauth"),
'$title' => L10n::t('Add application'),
'$submit' => L10n::t('Save Settings'),
'$cancel' => L10n::t('Cancel'),
@ -697,7 +699,7 @@ function settings_content(App $a)
$tpl = get_markup_template('settings/oauth_edit.tpl');
$o .= replace_macros($tpl, [
'$form_security_token' => get_form_security_token("settings_oauth"),
'$form_security_token' => BaseModule::getFormSecurityToken("settings_oauth"),
'$title' => L10n::t('Add application'),
'$submit' => L10n::t('Update'),
'$cancel' => L10n::t('Cancel'),
@ -711,7 +713,7 @@ function settings_content(App $a)
}
if (($a->argc > 3) && ($a->argv[2] === 'delete')) {
check_form_security_token_redirectOnErr('/settings/oauth', 'settings_oauth', 't');
BaseModule::checkFormSecurityTokenRedirectOnError('/settings/oauth', 'settings_oauth', 't');
DBA::delete('clients', ['client_id' => $a->argv[3], 'uid' => local_user()]);
goaway(System::baseUrl(true)."/settings/oauth/");
@ -729,7 +731,7 @@ function settings_content(App $a)
$tpl = get_markup_template('settings/oauth.tpl');
$o .= replace_macros($tpl, [
'$form_security_token' => get_form_security_token("settings_oauth"),
'$form_security_token' => BaseModule::getFormSecurityToken("settings_oauth"),
'$baseurl' => System::baseUrl(true),
'$title' => L10n::t('Connected Apps'),
'$add' => L10n::t('Add application'),
@ -756,7 +758,7 @@ function settings_content(App $a)
$tpl = get_markup_template('settings/addons.tpl');
$o .= replace_macros($tpl, [
'$form_security_token' => get_form_security_token("settings_addon"),
'$form_security_token' => BaseModule::getFormSecurityToken("settings_addon"),
'$title' => L10n::t('Addon Settings'),
'$settings_addons' => $settings_addons
]);
@ -777,7 +779,7 @@ function settings_content(App $a)
$tpl = get_markup_template('settings/features.tpl');
$o .= replace_macros($tpl, [
'$form_security_token' => get_form_security_token("settings_features"),
'$form_security_token' => BaseModule::getFormSecurityToken("settings_features"),
'$title' => L10n::t('Additional Features'),
'$features' => $arr,
'$submit' => L10n::t('Save Settings'),
@ -836,7 +838,7 @@ function settings_content(App $a)
$mail_disabled_message = (($mail_disabled) ? L10n::t('Email access is disabled on this site.') : '');
$o .= replace_macros($tpl, [
'$form_security_token' => get_form_security_token("settings_connectors"),
'$form_security_token' => BaseModule::getFormSecurityToken("settings_connectors"),
'$title' => L10n::t('Social Networks'),
@ -956,7 +958,7 @@ function settings_content(App $a)
$tpl = get_markup_template('settings/display.tpl');
$o = replace_macros($tpl, [
'$ptitle' => L10n::t('Display Settings'),
'$form_security_token' => get_form_security_token("settings_display"),
'$form_security_token' => BaseModule::getFormSecurityToken("settings_display"),
'$submit' => L10n::t('Save Settings'),
'$baseurl' => System::baseUrl(true),
'$uid' => local_user(),
@ -1185,7 +1187,7 @@ function settings_content(App $a)
'$submit' => L10n::t('Save Settings'),
'$baseurl' => System::baseUrl(true),
'$uid' => local_user(),
'$form_security_token' => get_form_security_token("settings"),
'$form_security_token' => BaseModule::getFormSecurityToken("settings"),
'$nickname_block' => $prof_addr,
'$h_pass' => L10n::t('Password Settings'),

4
mod/subthread.php
View file

@ -8,8 +8,8 @@ use Friendica\Core\L10n;
use Friendica\Core\System;
use Friendica\Database\DBA;
use Friendica\Model\Item;
use Friendica\Util\Security;
require_once 'include/security.php';
require_once 'include/items.php';
function subthread_content(App $a) {
@ -32,7 +32,7 @@ function subthread_content(App $a) {
$owner_uid = $item['uid'];
if (!can_write_wall($owner_uid)) {
if (!Security::canWriteToUserWall($owner_uid)) {
return;
}

1
mod/tagger.php
View file

@ -10,7 +10,6 @@ use Friendica\Core\Worker;
use Friendica\Database\DBA;
use Friendica\Model\Item;
require_once 'include/security.php';
require_once 'include/items.php';
function tagger_content(App $a) {

7
mod/videos.php
View file

@ -14,9 +14,9 @@ use Friendica\Model\Group;
use Friendica\Model\Item;
use Friendica\Model\Profile;
use Friendica\Protocol\DFRN;
use Friendica\Util\Security;
require_once 'include/items.php';
require_once 'include/security.php';
function videos_init(App $a)
{
@ -60,7 +60,7 @@ function videos_init(App $a)
]);
/// @TODO Old-lost code?
/*$sql_extra = permissions_sql($a->data['user']['uid']);
/*$sql_extra = Security::getPermissionsSQLByUserId($a->data['user']['uid']);
$albums = q("SELECT distinct(`album`) AS `album` FROM `photo` WHERE `uid` = %d $sql_extra order by created desc",
intval($a->data['user']['uid'])
@ -193,7 +193,6 @@ function videos_content(App $a)
return;
}
require_once 'include/security.php';
require_once 'include/conversation.php';
if (empty($a->data['user'])) {
@ -302,7 +301,7 @@ function videos_content(App $a)
return;
}
$sql_extra = permissions_sql($owner_uid, $remote_contact, $groups);
$sql_extra = Security::getPermissionsSQLByUserId($owner_uid, $remote_contact, $groups);
$o = "";