From 178ad53e22f4cc12a463874c0e7966d1bed9601c Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Sun, 28 Apr 2019 01:13:39 -0400 Subject: [PATCH 01/11] Move item feed display after permission checking in mod/display --- mod/display.php | 26 ++++++++++---------------- 1 file changed, 10 insertions(+), 16 deletions(-) diff --git a/mod/display.php b/mod/display.php index 6723a77e9d..acc2a5b090 100644 --- a/mod/display.php +++ b/mod/display.php @@ -36,20 +36,6 @@ function display_init(App $a) $nick = (($a->argc > 1) ? $a->argv[1] : ''); - if ($a->argc == 3) { - if (substr($a->argv[2], -5) == '.atom') { - $item_id = substr($a->argv[2], 0, -5); - displayShowFeed($item_id, false); - } - } - - if ($a->argc == 4) { - if ($a->argv[3] == 'conversation.atom') { - $item_id = $a->argv[2]; - displayShowFeed($item_id, true); - } - } - $item = null; $item_user = local_user(); @@ -81,14 +67,22 @@ function display_init(App $a) if (!DBA::isResult($item)) { $item = Item::selectFirstForUser(local_user(), $fields, ['guid' => $a->argv[1], 'private' => [0, 2], 'uid' => 0]); } - } elseif (($a->argc == 3) && ($nick == 'feed-item')) { - $item = Item::selectFirstForUser(local_user(), $fields, ['id' => $a->argv[2], 'private' => [0, 2], 'uid' => 0]); + } elseif ($a->argc >= 3 && $nick == 'feed-item') { + $item_id = $a->argv[2]; + if (substr($item_id, -5) == '.atom') { + $item_id = substr($item_id, 0, -5); + } + $item = Item::selectFirstForUser(local_user(), $fields, ['id' => $item_id, 'private' => [0, 2], 'uid' => 0]); } if (!DBA::isResult($item)) { System::httpExit(404); } + if ($a->argc >= 3 && $nick == 'feed-item') { + displayShowFeed($item['id'], $a->argc > 3 && $a->argv[3] == 'conversation.atom'); + } + if (!empty($_SERVER['HTTP_ACCEPT']) && strstr($_SERVER['HTTP_ACCEPT'], 'application/atom+xml')) { Logger::log('Directly serving XML for id '.$item["id"], Logger::DEBUG); displayShowFeed($item["id"], false); From 5ca279478eb6dd06b698e8c050ea1315c404a454 Mon Sep 17 00:00:00 2001 From: Tobias Diekershoff Date: Sun, 28 Apr 2019 10:35:51 +0200 Subject: [PATCH 02/11] CHANGELOG and version number for the fix release --- CHANGELOG | 4 ++++ VERSION | 2 +- boot.php | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 6d908f0f45..127f7e68eb 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,7 @@ +Version 2019.04 (2019-04-28) + Friendica Core: + Fixed a privacy problem with postings accessed by feed [MrPetovan] + Version 2019.03 (2019-03-22) Friendica Core: Update to the translation (CS, DE, EN-GB, EN-US, ES, FR, IT, PL, SV, ZH-CN) [translation teams] diff --git a/VERSION b/VERSION index 78b7dcf0ce..3365fe156f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2019.03 +2019.04 diff --git a/boot.php b/boot.php index 76672dc80c..95ea6579a4 100644 --- a/boot.php +++ b/boot.php @@ -31,7 +31,7 @@ use Friendica\Util\DateTimeFormat; define('FRIENDICA_PLATFORM', 'Friendica'); define('FRIENDICA_CODENAME', 'Dalmatian Bellflower'); -define('FRIENDICA_VERSION', '2019.03'); +define('FRIENDICA_VERSION', '2019.04'); define('DFRN_PROTOCOL_VERSION', '2.23'); define('NEW_UPDATE_ROUTINE_VERSION', 1170); From b5e195b41526b12b292e0814a955ee5d0a8708ed Mon Sep 17 00:00:00 2001 From: Dean Townsley Date: Sat, 22 Jun 2019 12:24:30 -0500 Subject: [PATCH 03/11] Add auth to load sequence for photos This allows private photos to load on any page. Previously auth depended on some other thing like the enclosing page triggering the authentication of the specific contact for the photo owner. --- src/Model/Photo.php | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/Model/Photo.php b/src/Model/Photo.php index 68665126fb..7df96fccdb 100644 --- a/src/Model/Photo.php +++ b/src/Model/Photo.php @@ -16,6 +16,7 @@ use Friendica\Database\DBA; use Friendica\Database\DBStructure; use Friendica\Model\Storage\IStorage; use Friendica\Object\Image; +use Friendica\Protocol\DFRN; use Friendica\Util\DateTimeFormat; use Friendica\Util\Network; use Friendica\Util\Security; @@ -133,8 +134,16 @@ class Photo extends BaseObject if ($r === false) { return false; } + $uid = $r["uid"]; - $sql_acl = Security::getPermissionsSQLByUserId($r["uid"]); + // This is the first place, when retrieving just a photo, that we know who owns the photo. + // Make sure that the requester's session is appropriately authenticated to that user + // otherwise permissions checks done by getPermissionsSQLByUserId() won't work correctly + $r = DBA::selectFirst("user", ["nickname"], ["uid" => $uid], []); + // this will either just return (if auth all ok) or will redirect and exit (starting over) + DFRN::autoRedir(self::getApp(), $r["nickname"]); + + $sql_acl = Security::getPermissionsSQLByUserId($uid); $conditions = [ "`resource-id` = ? AND `scale` <= ? " . $sql_acl, From 042fcfeb508cde2647fedee53c28f4037255c5ed Mon Sep 17 00:00:00 2001 From: Dean Townsley Date: Sat, 22 Jun 2019 12:34:54 -0500 Subject: [PATCH 04/11] Enable multi-auth in dfrn autoRedir Update checks to account for a user being authenticated to multiple contacts on the local server at the same time. It was also necessary to remove a looping procection to make this work correcly with browsers that open multiple connections because the information about what contacts are authenticated is stored in the PHP session. --- src/Protocol/DFRN.php | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/src/Protocol/DFRN.php b/src/Protocol/DFRN.php index ec4557e822..0e2bfc579b 100644 --- a/src/Protocol/DFRN.php +++ b/src/Protocol/DFRN.php @@ -2899,7 +2899,12 @@ class DFRN { // prevent looping if (!empty($_REQUEST['redir'])) { - return; + Logger::log('autoRedir might be looping because is redir', Logger::DEBUG); + // looping prevention also appears to sometimes prevent authentication for images + // because browser may have multiple connections open and load an image on a connection + // whose session wasn't updated when a previous redirect authenticated + // Leaving commented in case looping reappears + //return; } if ((! $contact_nick) || ($contact_nick === $a->user['nickname'])) { @@ -2923,6 +2928,9 @@ class DFRN $baseurl = substr($baseurl, $domain_st + 3); $nurl = Strings::normaliseLink($baseurl); + $r = DBA::selectFirst("user", ["uid"], ["nickname" => DBA::escape($contact_nick)], []); + $contact_uid = $r["uid"]; + /// @todo Why is there a query for "url" *and* "nurl"? Especially this normalising is strange. $r = q("SELECT `id` FROM `contact` WHERE `uid` = (SELECT `uid` FROM `user` WHERE `nickname` = '%s' LIMIT 1) AND `nick` = '%s' AND NOT `self` AND (`url` LIKE '%%%s%%' OR `nurl` LIKE '%%%s%%') AND NOT `blocked` AND NOT `pending` LIMIT 1", @@ -2931,9 +2939,18 @@ class DFRN DBA::escape($baseurl), DBA::escape($nurl) ); - if ((! DBA::isResult($r)) || $r[0]['id'] == remote_user()) { + if ((! DBA::isResult($r))) { return; } + // test if redirect authentication already succeeded + // Note that "contact" in the sense used in $contact_nick and the sense in the $remote[]["cid"] + // in the session are opposite. In the session variable the user currently fetching is the contact + // while $contact_nick is the nick of tho user who owns the stuff being fetched. + foreach (\Friendica\Core\Session::get('remote', []) as $visitor) { + if ($visitor['uid'] == $contact_uid && $visitor['cid'] == $r[0]['id']) { + return; + } + } $r = q("SELECT * FROM contact WHERE nick = '%s' AND network = '%s' AND uid = %d AND url LIKE '%%%s%%' LIMIT 1", From 9dff3d2b6d27a3917b7ca998c5d33c7b7cbaa84a Mon Sep 17 00:00:00 2001 From: Dean Townsley Date: Sat, 22 Jun 2019 18:56:33 -0500 Subject: [PATCH 05/11] Use User:: API insteadd of direct database read --- src/Protocol/DFRN.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Protocol/DFRN.php b/src/Protocol/DFRN.php index 0e2bfc579b..e47cfc72c0 100644 --- a/src/Protocol/DFRN.php +++ b/src/Protocol/DFRN.php @@ -2928,7 +2928,7 @@ class DFRN $baseurl = substr($baseurl, $domain_st + 3); $nurl = Strings::normaliseLink($baseurl); - $r = DBA::selectFirst("user", ["uid"], ["nickname" => DBA::escape($contact_nick)], []); + $r = User::getByNickname($contact_nick, ["uid"]); $contact_uid = $r["uid"]; /// @todo Why is there a query for "url" *and* "nurl"? Especially this normalising is strange. From 0c6a0942cc220128b448b922aba2a5777b47a360 Mon Sep 17 00:00:00 2001 From: Dean Townsley Date: Sat, 22 Jun 2019 19:08:34 -0500 Subject: [PATCH 06/11] Clarify comment and log message --- src/Protocol/DFRN.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/Protocol/DFRN.php b/src/Protocol/DFRN.php index e47cfc72c0..91ca2545db 100644 --- a/src/Protocol/DFRN.php +++ b/src/Protocol/DFRN.php @@ -2899,7 +2899,7 @@ class DFRN { // prevent looping if (!empty($_REQUEST['redir'])) { - Logger::log('autoRedir might be looping because is redir', Logger::DEBUG); + Logger::log('autoRedir might be looping because redirect has been redirected', Logger::DEBUG); // looping prevention also appears to sometimes prevent authentication for images // because browser may have multiple connections open and load an image on a connection // whose session wasn't updated when a previous redirect authenticated @@ -2943,8 +2943,9 @@ class DFRN return; } // test if redirect authentication already succeeded - // Note that "contact" in the sense used in $contact_nick and the sense in the $remote[]["cid"] - // in the session are opposite. In the session variable the user currently fetching is the contact + // Note that "contact" in the sense used in the $contact_nick argument to this function + // and the sense in the $remote[]["cid"] in the session are opposite. + // In the session variable the user currently fetching is the contact // while $contact_nick is the nick of tho user who owns the stuff being fetched. foreach (\Friendica\Core\Session::get('remote', []) as $visitor) { if ($visitor['uid'] == $contact_uid && $visitor['cid'] == $r[0]['id']) { From f84e2e9d932f171dab1bc97360ea670d2ba86254 Mon Sep 17 00:00:00 2001 From: Michael Vogel Date: Sun, 23 Jun 2019 08:41:49 +0200 Subject: [PATCH 07/11] Fix for distribution of event deletions --- src/Model/Event.php | 2 +- src/Model/Item.php | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/src/Model/Event.php b/src/Model/Event.php index d8657c1e9a..42742f18e0 100644 --- a/src/Model/Event.php +++ b/src/Model/Event.php @@ -226,7 +226,7 @@ class Event extends BaseObject return; } - DBA::delete('event', ['id' => $event_id]); + DBA::delete('event', ['id' => $event_id], ['cascade' => false]); Logger::log("Deleted event ".$event_id, Logger::DEBUG); } diff --git a/src/Model/Item.php b/src/Model/Item.php index 579d2f68eb..059838bdb4 100644 --- a/src/Model/Item.php +++ b/src/Model/Item.php @@ -1080,9 +1080,11 @@ class Item extends BaseObject } // When the permission set will be used in photo and events as well, // this query here needs to be extended. - if (!empty($item['psid']) && !self::exists(['psid' => $item['psid'], 'deleted' => false])) { - DBA::delete('permissionset', ['id' => $item['psid']], ['cascade' => false]); - } + // Currently deactivated. We need the permission set in the deletion process. + // This is a reminder to add the removal somewhere else. + //if (!empty($item['psid']) && !self::exists(['psid' => $item['psid'], 'deleted' => false])) { + // DBA::delete('permissionset', ['id' => $item['psid']], ['cascade' => false]); + //} // If it's the parent of a comment thread, kill all the kids if ($item['id'] == $item['parent']) { From 955926607510ae13b820edc6926e18ff2dbbd9c7 Mon Sep 17 00:00:00 2001 From: Michael Vogel Date: Sun, 23 Jun 2019 12:01:14 +0200 Subject: [PATCH 08/11] todo added --- src/Model/Item.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Model/Item.php b/src/Model/Item.php index 059838bdb4..3c503dd670 100644 --- a/src/Model/Item.php +++ b/src/Model/Item.php @@ -1080,7 +1080,7 @@ class Item extends BaseObject } // When the permission set will be used in photo and events as well, // this query here needs to be extended. - // Currently deactivated. We need the permission set in the deletion process. + // @todo Currently deactivated. We need the permission set in the deletion process. // This is a reminder to add the removal somewhere else. //if (!empty($item['psid']) && !self::exists(['psid' => $item['psid'], 'deleted' => false])) { // DBA::delete('permissionset', ['id' => $item['psid']], ['cascade' => false]); From e4714cc504ba762481a4a8bfdb30d0c28d6d23e6 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Sun, 23 Jun 2019 15:26:48 -0400 Subject: [PATCH 09/11] Updated CHANGELOG for 2019.06 release --- CHANGELOG | 39 ++++++++++++++++++++++++++++++--------- 1 file changed, 30 insertions(+), 9 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 16ba3f8412..6fcb337868 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,17 +1,20 @@ -Version 2019.06 (UNRELEASED) (2019-06-?) +Version 2019.06 (UNRELEASED) (2019-06-23) Friendica Core: - Update to the tranlation (CS, DE, ET, PL, PT-BR, SV) [translation teams] - Update to the documentation [nupplaphil, realkinetix] + Update to the tranlation (CS, DE, EN-GB, EN-US, ET, FR, IT, PL, PT-BR, SV) [translation teams] + Update to the documentation [nupplaphil, realkinetix, MrPetovan] Update to the themes (frio, vier) [BinkaDroid, MrPetovan, tobiasd] Enhancements to the API [annando, MrPetovan] Enhancements to the way reshares are handled [annando] Enhancements to the redis configuration [nupplaphil] Enhancements to the federation stats display in the admin panel [tobiasd] Enhancements to the processing of changed storage engine [MrPetovan] + Enhancements to ActivityPub support [annando, MrPetovan] + Enhancements to code security [MrPetovan] + Enhancements to delivery counter [annando] Fixed the notification order [JeroenED] Fixed the timezone of Friendica logs [nupplaphil] Fixed tag completion painfully slow [AlfredSK] - Fixed a regression in notifications [MrPetovan] + Fixed a regression in notifications [MrPetovan, annando] Fixed an issue with smilies and code blocks [MrPetovan] Fixed an AP issue with unavailable local profiles [MrPetovan] Fixed an issue with the File to Folder feature [MrPetovan] @@ -20,34 +23,52 @@ Version 2019.06 (UNRELEASED) (2019-06-?) Fixed an issue occuring when the BasePath was not set [tobiasd] Fixed an issue with additionally opened Sessions [MrPetovan] Fixed an issue with legacy loglevel mapping [nupplaphil] + Fixed contact suggestions [annando] + Fixed an issue with frio hovercard [nupplaphil] + Fixed event interaction federation [annando] + Fixed remote image permission [deantownsley] General Code cleaning and restructuring [annando, nupplaphil, tobiasd] Added frio color scheme sharing [JeroenED] Added syslog and stream Logger [nupplaphil] Added storage move cronjob [MrPetovan] Added collapsible panel for connector permission fields [MrPetovan] Added rule-based router [MrPetovan] - Added Estinian translation [Rain Hawk] + Added Estonian translation [Rain Hawk] Added APCu caching [nupplaphil] Added BlockServer command to the Friendica console [nupplaphil] + Added reshare count [annando] + Added rule-based router [MrPetovan, nupplaphil] + Added themed error pages with mascot [MrPetovan, lostinlight] + Added contact relationship filter [MrPetovan] Removed the old queue mechanism (deferred workers are now used) [annando] Removed BasePath and Hostname settings from the admin panel [nupplaphil] + Remove support for defunct F-Droid Friendica app [MrPetovan] Friendica Addons: Update to the tranlation (ET, SV, ZH_CN) [translation teams] botdetection: - Added a new addon for preventing access by bots [nupplaphil] + Added a new addon for preventing access by bots [nupplaphil, annando] buffer: Traces of Google+ were removed [annando] curweather: Fixed a problem with the display of the correct temperature unit [tobiasd] fromgplus: Deprecated the addon as Google+ was closed [tobiasd] + fortunate: + Deprecated addon for incompatibility with latest Friendica version [MrPetovan] phpmailer: - Added a new addon to use external SMTP for email [M-arcus] + Added a new addon to use external SMTP for email [M-arcus, kecalcze, MrPetovan] + pledgie: + Deprecated addon as service was discontinued [M-arcus] + xmpp: + Marked addon as unsupported because of various incompatibilities with themes [MrPetovan] + Closed Issues: - 5011, 5047, 5850, 6303, 6319, 6478, 6319, 6720, 6815, 6864, 6879, - 6903, 6921, 6927, 6936, 6941, 6943, 6947, 6948, 6952 + 1012, 2209, 2528, 3309, 3717, 3816, 3869, 4453, 4999, 5011, 5047, 5276, 5850, 5983, 6303, 6319, 6379, 6410, 6477, + 6478, 6720, 6799, 6813, 6819, 6861, 6864, 6879, 6903, 6916, 6917, 6918, 6921, 6927, 6929, 6936, 6938, 6941, 6943, + 6947, 6948, 6950, 6952, 6983, 6999, 7023, 7036, 7047, 7106, 7112, 7119, 7128, 7130, 7131, 7141, 7142, 7150, 7171, + 7183, 7196, 7209, 7223, 7226, 7240, 7241, 7249, 7264, 7269, 7271, 7275, 7300, 7303 Version 2019.03 (2019-03-22) Friendica Core: From a25ed827c96e6f10dd84f5b7cb104c793c95340d Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Sun, 23 Jun 2019 15:28:38 -0400 Subject: [PATCH 10/11] Updated version constants for 2019.06 release --- VERSION | 2 +- boot.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/VERSION b/VERSION index 6952a8d6e3..4eda9a567d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2019.06-rc +2019.06 diff --git a/boot.php b/boot.php index eb04732c5d..4ade9eb145 100644 --- a/boot.php +++ b/boot.php @@ -31,7 +31,7 @@ use Friendica\Util\DateTimeFormat; define('FRIENDICA_PLATFORM', 'Friendica'); define('FRIENDICA_CODENAME', 'Dalmatian Bellflower'); -define('FRIENDICA_VERSION', '2019.06-rc'); +define('FRIENDICA_VERSION', '2019.06'); define('DFRN_PROTOCOL_VERSION', '2.23'); define('NEW_UPDATE_ROUTINE_VERSION', 1170); From f0c85432416de5253bf24aae43c3551a96d09357 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Sun, 23 Jun 2019 17:38:12 -0400 Subject: [PATCH 11/11] Update Composer archive settings --- composer.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/composer.json b/composer.json index aac5c10bc6..feac6c61f7 100644 --- a/composer.json +++ b/composer.json @@ -97,7 +97,19 @@ }, "archive": { "exclude": [ - "log", "cache", "/photo", "/proxy" + "/.*", + "/*file", + "!/.htaccess-dist", + "/tests", + "/*.xml", + "/composer.*", + "/log", + "/cache", + "/photo", + "/proxy", + "/addon", + "!/vendor", + "!/view/asset" ] }, "require-dev": {