bug in check for private email comment to public conversation prevents authenticated visitor from seeing comments that should be allowed

2012-03-09 00:31:17 -08:00 · 2012-03-09 00:31:17 -08:00 · 312c175045
parent 2050f886cc
commit 312c175045
2 changed files with 9 additions and 23 deletions
--- a/include/conversation.php
+++ b/include/conversation.php
@ -179,9 +179,11 @@ function localize_item(&$item){
 * that are based on unique features of the calling module.
 *
 */
- if(!function_exists('conversation')){
+
+if(!function_exists('conversation')) {
 function conversation(&$a, $items, $mode, $update, $preview = false) {

+
 	require_once('bbcode.php');

 	$profile_owner = 0;
@ -418,26 +420,6 @@ function conversation(&$a, $items, $mode, $update, $preview = false) {
 					$toplevelprivate = (($toplevelpost && $item['private']) ? true : false);
 					$item_writeable = (($item['writable'] || $item['self']) ? true : false);

-					// DISABLED
-					/*
-					if($blowhard == $item['cid'] && (! $item['self']) && ($mode != 'profile') && ($mode != 'notes')) {
-						$blowhard_count ++;
-						if($blowhard_count == 3) {
-							$o .= '<div class="icollapse-wrapper fakelink" id="icollapse-wrapper-' . $item['parent'] 
-								. '" onclick="openClose(' . '\'icollapse-' . $item['parent'] . '\'); $(\'#icollapse-wrapper-' . $item['parent'] . '\').hide();" >' 
-								. t('See more posts like this') . '</div>' . '<div class="icollapse" id="icollapse-' 
-								. $item['parent'] . '" style="display: none;" >';
-						}
-					}
-					else {
-						$blowhard = $item['cid'];					
-						if($blowhard_count >= 3)
-							$o .= '</div>';
-						$blowhard_count = 0;
-					}
-					// END DISABLED
-					*/
-
 					$comments_seen = 0;
 					$comments_collapsed = false;
 					$comment_lastcollapsed  = false;
@ -445,13 +427,16 @@ function conversation(&$a, $items, $mode, $update, $preview = false) {
 					
 					$threadsid++;
 					$threads[$threadsid]['id'] = $item['item_id'];
+					$threads[$threadsid]['private'] = $item['private'];
 					$threads[$threadsid]['items'] = array();

 				}
 				else {
-					// prevent private email from leaking into public conversation
-					if((! $toplevelpost) && (! $toplevelprivate) && ($item['private']) && ($profile_owner != local_user()))
+
+					// prevent private email reply to public conversation from leaking.
+					if($item['private'] && ! $threads[$threadsid]['private'])
 						continue;
+
 					$comments_seen ++;
 					$comment_lastcollapsed  = false;
 					$comment_firstcollapsed = false;
--- a/include/security.php
+++ b/include/security.php
@ -283,6 +283,7 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null)
 			);
 		}
 	}
+
 	return $sql;
 }