diff --git a/CHANGELOG b/CHANGELOG index 16ba3f8412..1fa98ee870 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,17 +1,20 @@ -Version 2019.06 (UNRELEASED) (2019-06-?) +Version 2019.06 (2019-06-23) Friendica Core: - Update to the tranlation (CS, DE, ET, PL, PT-BR, SV) [translation teams] - Update to the documentation [nupplaphil, realkinetix] + Update to the tranlation (CS, DE, EN-GB, EN-US, ET, FR, IT, PL, PT-BR, SV) [translation teams] + Update to the documentation [nupplaphil, realkinetix, MrPetovan] Update to the themes (frio, vier) [BinkaDroid, MrPetovan, tobiasd] Enhancements to the API [annando, MrPetovan] Enhancements to the way reshares are handled [annando] Enhancements to the redis configuration [nupplaphil] Enhancements to the federation stats display in the admin panel [tobiasd] Enhancements to the processing of changed storage engine [MrPetovan] + Enhancements to ActivityPub support [annando, MrPetovan] + Enhancements to code security [MrPetovan] + Enhancements to delivery counter [annando] Fixed the notification order [JeroenED] Fixed the timezone of Friendica logs [nupplaphil] Fixed tag completion painfully slow [AlfredSK] - Fixed a regression in notifications [MrPetovan] + Fixed a regression in notifications [MrPetovan, annando] Fixed an issue with smilies and code blocks [MrPetovan] Fixed an AP issue with unavailable local profiles [MrPetovan] Fixed an issue with the File to Folder feature [MrPetovan] @@ -20,35 +23,56 @@ Version 2019.06 (UNRELEASED) (2019-06-?) Fixed an issue occuring when the BasePath was not set [tobiasd] Fixed an issue with additionally opened Sessions [MrPetovan] Fixed an issue with legacy loglevel mapping [nupplaphil] + Fixed contact suggestions [annando] + Fixed an issue with frio hovercard [nupplaphil] + Fixed event interaction federation [annando] + Fixed remote image permission [deantownsley] General Code cleaning and restructuring [annando, nupplaphil, tobiasd] Added frio color scheme sharing [JeroenED] Added syslog and stream Logger [nupplaphil] Added storage move cronjob [MrPetovan] Added collapsible panel for connector permission fields [MrPetovan] Added rule-based router [MrPetovan] - Added Estinian translation [Rain Hawk] + Added Estonian translation [Rain Hawk] Added APCu caching [nupplaphil] Added BlockServer command to the Friendica console [nupplaphil] + Added reshare count [annando] + Added rule-based router [MrPetovan, nupplaphil] + Added themed error pages with mascot [MrPetovan, lostinlight] + Added contact relationship filter [MrPetovan] Removed the old queue mechanism (deferred workers are now used) [annando] Removed BasePath and Hostname settings from the admin panel [nupplaphil] + Remove support for defunct F-Droid Friendica app [MrPetovan] Friendica Addons: Update to the tranlation (ET, SV, ZH_CN) [translation teams] botdetection: - Added a new addon for preventing access by bots [nupplaphil] + Added a new addon for preventing access by bots [nupplaphil, annando] buffer: Traces of Google+ were removed [annando] curweather: Fixed a problem with the display of the correct temperature unit [tobiasd] fromgplus: Deprecated the addon as Google+ was closed [tobiasd] + fortunate: + Deprecated addon for incompatibility with latest Friendica version [MrPetovan] phpmailer: - Added a new addon to use external SMTP for email [M-arcus] + Added a new addon to use external SMTP for email [M-arcus, kecalcze, MrPetovan] + pledgie: + Deprecated addon as service was discontinued [M-arcus] + xmpp: + Marked addon as unsupported because of various incompatibilities with themes [MrPetovan] Closed Issues: - 5011, 5047, 5850, 6303, 6319, 6478, 6319, 6720, 6815, 6864, 6879, - 6903, 6921, 6927, 6936, 6941, 6943, 6947, 6948, 6952 + 1012, 2209, 2528, 3309, 3717, 3816, 3869, 4453, 4999, 5011, 5047, 5276, 5850, 5983, 6303, 6319, 6379, 6410, 6477, + 6478, 6720, 6799, 6813, 6819, 6861, 6864, 6879, 6903, 6916, 6917, 6918, 6921, 6927, 6929, 6936, 6938, 6941, 6943, + 6947, 6948, 6950, 6952, 6983, 6999, 7023, 7036, 7047, 7106, 7112, 7119, 7128, 7130, 7131, 7141, 7142, 7150, 7171, + 7183, 7196, 7209, 7223, 7226, 7240, 7241, 7249, 7264, 7269, 7271, 7275, 7300, 7303 +Version 2019.04 (2019-04-28) + Friendica Core: + Fixed a privacy problem with postings accessed by feed [MrPetovan] + Version 2019.03 (2019-03-22) Friendica Core: Update to the translation (CS, DE, EN-GB, EN-US, ES, FR, IT, PL, SV, ZH-CN) [translation teams] diff --git a/VERSION b/VERSION index 6952a8d6e3..4eda9a567d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2019.06-rc +2019.06 diff --git a/boot.php b/boot.php index eb04732c5d..4ade9eb145 100644 --- a/boot.php +++ b/boot.php @@ -31,7 +31,7 @@ use Friendica\Util\DateTimeFormat; define('FRIENDICA_PLATFORM', 'Friendica'); define('FRIENDICA_CODENAME', 'Dalmatian Bellflower'); -define('FRIENDICA_VERSION', '2019.06-rc'); +define('FRIENDICA_VERSION', '2019.06'); define('DFRN_PROTOCOL_VERSION', '2.23'); define('NEW_UPDATE_ROUTINE_VERSION', 1170); diff --git a/composer.json b/composer.json index aac5c10bc6..feac6c61f7 100644 --- a/composer.json +++ b/composer.json @@ -97,7 +97,19 @@ }, "archive": { "exclude": [ - "log", "cache", "/photo", "/proxy" + "/.*", + "/*file", + "!/.htaccess-dist", + "/tests", + "/*.xml", + "/composer.*", + "/log", + "/cache", + "/photo", + "/proxy", + "/addon", + "!/vendor", + "!/view/asset" ] }, "require-dev": { diff --git a/mod/display.php b/mod/display.php index 017b3545b6..54d4792594 100644 --- a/mod/display.php +++ b/mod/display.php @@ -84,6 +84,10 @@ function display_init(App $a) displayShowFeed($item['id'], $a->argc > 3 && $a->argv[3] == 'conversation.atom'); } + if ($a->argc >= 3 && $nick == 'feed-item') { + displayShowFeed($item['id'], $a->argc > 3 && $a->argv[3] == 'conversation.atom'); + } + if (!empty($_SERVER['HTTP_ACCEPT']) && strstr($_SERVER['HTTP_ACCEPT'], 'application/atom+xml')) { Logger::log('Directly serving XML for id '.$item["id"], Logger::DEBUG); displayShowFeed($item["id"], false); diff --git a/src/Model/Event.php b/src/Model/Event.php index d8657c1e9a..42742f18e0 100644 --- a/src/Model/Event.php +++ b/src/Model/Event.php @@ -226,7 +226,7 @@ class Event extends BaseObject return; } - DBA::delete('event', ['id' => $event_id]); + DBA::delete('event', ['id' => $event_id], ['cascade' => false]); Logger::log("Deleted event ".$event_id, Logger::DEBUG); } diff --git a/src/Model/Item.php b/src/Model/Item.php index 579d2f68eb..3c503dd670 100644 --- a/src/Model/Item.php +++ b/src/Model/Item.php @@ -1080,9 +1080,11 @@ class Item extends BaseObject } // When the permission set will be used in photo and events as well, // this query here needs to be extended. - if (!empty($item['psid']) && !self::exists(['psid' => $item['psid'], 'deleted' => false])) { - DBA::delete('permissionset', ['id' => $item['psid']], ['cascade' => false]); - } + // @todo Currently deactivated. We need the permission set in the deletion process. + // This is a reminder to add the removal somewhere else. + //if (!empty($item['psid']) && !self::exists(['psid' => $item['psid'], 'deleted' => false])) { + // DBA::delete('permissionset', ['id' => $item['psid']], ['cascade' => false]); + //} // If it's the parent of a comment thread, kill all the kids if ($item['id'] == $item['parent']) { diff --git a/src/Model/Photo.php b/src/Model/Photo.php index 68665126fb..7df96fccdb 100644 --- a/src/Model/Photo.php +++ b/src/Model/Photo.php @@ -16,6 +16,7 @@ use Friendica\Database\DBA; use Friendica\Database\DBStructure; use Friendica\Model\Storage\IStorage; use Friendica\Object\Image; +use Friendica\Protocol\DFRN; use Friendica\Util\DateTimeFormat; use Friendica\Util\Network; use Friendica\Util\Security; @@ -133,8 +134,16 @@ class Photo extends BaseObject if ($r === false) { return false; } + $uid = $r["uid"]; - $sql_acl = Security::getPermissionsSQLByUserId($r["uid"]); + // This is the first place, when retrieving just a photo, that we know who owns the photo. + // Make sure that the requester's session is appropriately authenticated to that user + // otherwise permissions checks done by getPermissionsSQLByUserId() won't work correctly + $r = DBA::selectFirst("user", ["nickname"], ["uid" => $uid], []); + // this will either just return (if auth all ok) or will redirect and exit (starting over) + DFRN::autoRedir(self::getApp(), $r["nickname"]); + + $sql_acl = Security::getPermissionsSQLByUserId($uid); $conditions = [ "`resource-id` = ? AND `scale` <= ? " . $sql_acl, diff --git a/src/Protocol/DFRN.php b/src/Protocol/DFRN.php index ec4557e822..91ca2545db 100644 --- a/src/Protocol/DFRN.php +++ b/src/Protocol/DFRN.php @@ -2899,7 +2899,12 @@ class DFRN { // prevent looping if (!empty($_REQUEST['redir'])) { - return; + Logger::log('autoRedir might be looping because redirect has been redirected', Logger::DEBUG); + // looping prevention also appears to sometimes prevent authentication for images + // because browser may have multiple connections open and load an image on a connection + // whose session wasn't updated when a previous redirect authenticated + // Leaving commented in case looping reappears + //return; } if ((! $contact_nick) || ($contact_nick === $a->user['nickname'])) { @@ -2923,6 +2928,9 @@ class DFRN $baseurl = substr($baseurl, $domain_st + 3); $nurl = Strings::normaliseLink($baseurl); + $r = User::getByNickname($contact_nick, ["uid"]); + $contact_uid = $r["uid"]; + /// @todo Why is there a query for "url" *and* "nurl"? Especially this normalising is strange. $r = q("SELECT `id` FROM `contact` WHERE `uid` = (SELECT `uid` FROM `user` WHERE `nickname` = '%s' LIMIT 1) AND `nick` = '%s' AND NOT `self` AND (`url` LIKE '%%%s%%' OR `nurl` LIKE '%%%s%%') AND NOT `blocked` AND NOT `pending` LIMIT 1", @@ -2931,9 +2939,19 @@ class DFRN DBA::escape($baseurl), DBA::escape($nurl) ); - if ((! DBA::isResult($r)) || $r[0]['id'] == remote_user()) { + if ((! DBA::isResult($r))) { return; } + // test if redirect authentication already succeeded + // Note that "contact" in the sense used in the $contact_nick argument to this function + // and the sense in the $remote[]["cid"] in the session are opposite. + // In the session variable the user currently fetching is the contact + // while $contact_nick is the nick of tho user who owns the stuff being fetched. + foreach (\Friendica\Core\Session::get('remote', []) as $visitor) { + if ($visitor['uid'] == $contact_uid && $visitor['cid'] == $r[0]['id']) { + return; + } + } $r = q("SELECT * FROM contact WHERE nick = '%s' AND network = '%s' AND uid = %d AND url LIKE '%%%s%%' LIMIT 1",