Merge pull request #4287 from annando/item-permissions

Overhauled mod/item - fixing wrong thread parent and mail stuff
This commit is contained in:
Hypolite Petovan 2018-01-20 16:57:19 -05:00 committed by GitHub
commit 352dd020a8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -52,15 +52,15 @@ function item_post(App $a) {
} }
Addon::callHooks('post_local_start', $_REQUEST); Addon::callHooks('post_local_start', $_REQUEST);
// logger('postinput ' . file_get_contents('php://input'));
logger('postvars ' . print_r($_REQUEST,true), LOGGER_DATA); logger('postvars ' . print_r($_REQUEST,true), LOGGER_DATA);
$api_source = x($_REQUEST, 'api_source') && $_REQUEST['api_source']; $api_source = defaults($_REQUEST, 'api_source', false);
$message_id = ((x($_REQUEST, 'message_id') && $api_source) ? strip_tags($_REQUEST['message_id']) : ''); $message_id = ((x($_REQUEST, 'message_id') && $api_source) ? strip_tags($_REQUEST['message_id']) : '');
$return_path = (x($_REQUEST, 'return') ? $_REQUEST['return'] : ''); $return_path = defaults($_REQUEST, 'return', '');
$preview = (x($_REQUEST, 'preview') ? intval($_REQUEST['preview']) : 0); $preview = intval(defaults($_REQUEST, 'preview', 0));
/* /*
* Check for doubly-submitted posts, and reject duplicates * Check for doubly-submitted posts, and reject duplicates
@ -77,90 +77,56 @@ function item_post(App $a) {
} }
// Is this a reply to something? // Is this a reply to something?
$parent = (x($_REQUEST, 'parent') ? intval($_REQUEST['parent']) : 0); $thr_parent = intval(defaults($_REQUEST, 'parent', 0));
$parent_uri = (x($_REQUEST, 'parent_uri') ? trim($_REQUEST['parent_uri']) : ''); $thr_parent_uri = trim(defaults($_REQUEST, 'parent_uri', ''));
$thr_parent_contact = null;
$parent = 0;
$parent_item = null; $parent_item = null;
$parent_contact = null;
$parid = 0;
$r = false;
$objecttype = null;
$parent_user = null; $parent_user = null;
if ($parent || $parent_uri) { $parent_contact = null;
$objecttype = ACTIVITY_OBJ_COMMENT; $objecttype = null;
$profile_uid = defaults($_REQUEST, 'profile_uid', local_user());
if (!x($_REQUEST, 'type')) { if ($thr_parent || $thr_parent_uri) {
$_REQUEST['type'] = 'net-comment'; if ($thr_parent) {
$parent_item = dba::selectFirst('item', [], ['id' => $thr_parent]);
} elseif ($thr_parent_uri) {
$parent_item = dba::selectFirst('item', [], ['uri' => $thr_parent_uri, 'uid' => $profile_uid]);
} }
if ($parent) { // if this isn't the real parent of the conversation, find it
$r = q("SELECT * FROM `item` WHERE `id` = %d LIMIT 1", if (DBM::is_result($parent_item)) {
intval($parent)
);
} elseif ($parent_uri && local_user()) {
// This is coming from an API source, and we are logged in
$r = q("SELECT * FROM `item` WHERE `uri` = '%s' AND `uid` = %d LIMIT 1",
dbesc($parent_uri),
intval(local_user())
);
// if this isn't the real parent of the conversation, find it // The URI and the contact is taken from the direct parent which needn't to be the top parent
if (DBM::is_result($r)) { $thr_parent_uri = $parent_item['uri'];
$parid = $r[0]['parent']; $thr_parent_contact = Contact::getDetailsByURL($parent_item["author-link"]);
if ($r[0]['id'] != $r[0]['parent']) {
$r = q("SELECT * FROM `item` WHERE `id` = `parent` AND `parent` = %d LIMIT 1", if ($parent_item['id'] != $parent_item['parent']) {
intval($parid) $parent_item = dba::selectFirst('item', [], ['id' => $parent_item['parent']]);
);
}
} }
} }
if (!DBM::is_result($r)) { if (!DBM::is_result($parent_item)) {
notice(t('Unable to locate original post.') . EOL); notice(t('Unable to locate original post.') . EOL);
if (x($_REQUEST, 'return')) { if (x($_REQUEST, 'return')) {
goaway($return_path); goaway($return_path);
} }
killme(); killme();
} }
$parent_item = $r[0];
$parent = $parent_item['id']; $parent = $parent_item['id'];
$parent_uri = $parent_item['uri'];
$parent_user = $parent_item['uid']; $parent_user = $parent_item['uid'];
if ($parent_item['contact-id']) { $parent_contact = Contact::getDetailsByURL($parent_item["author-link"]);
$r = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1",
intval($parent_item['contact-id'])
);
if (DBM::is_result($r)) {
$parent_contact = $r[0];
}
// If the contact id doesn't fit with the contact, then set the contact to null $objecttype = ACTIVITY_OBJ_COMMENT;
$thrparent = q("SELECT `author-link`, `network` FROM `item` WHERE `uri` = '%s' LIMIT 1", dbesc($parent_uri));
if (DBM::is_result($thrparent) && ($thrparent[0]["network"] === NETWORK_OSTATUS)
&& (normalise_link($parent_contact["url"]) != normalise_link($thrparent[0]["author-link"]))) {
$parent_contact = Contact::getDetailsByURL($thrparent[0]["author-link"]);
if (!isset($parent_contact["nick"])) { if (!x($_REQUEST, 'type')) {
$probed_contact = Probe::uri($thrparent[0]["author-link"]); $_REQUEST['type'] = 'net-comment';
if ($probed_contact["network"] != NETWORK_FEED) {
$parent_contact = $probed_contact;
$parent_contact["nurl"] = normalise_link($probed_contact["url"]);
$parent_contact["thumb"] = $probed_contact["photo"];
$parent_contact["micro"] = $probed_contact["photo"];
$parent_contact["addr"] = $probed_contact["addr"];
}
}
logger('no contact found: ' . print_r($thrparent, true), LOGGER_DEBUG);
} else {
logger('parent contact: ' . print_r($parent_contact, true), LOGGER_DEBUG);
}
if ($parent_contact["nick"] == "") {
$parent_contact["nick"] = $parent_contact["name"];
}
} }
} }
@ -168,11 +134,10 @@ function item_post(App $a) {
logger('mod_item: item_post parent=' . $parent); logger('mod_item: item_post parent=' . $parent);
} }
$profile_uid = (x($_REQUEST, 'profile_uid') ? intval($_REQUEST['profile_uid']) : 0); $post_id = intval(defaults($_REQUEST, 'post_id', 0));
$post_id = (x($_REQUEST, 'post_id') ? intval($_REQUEST['post_id']) : 0); $app = strip_tags(defaults($_REQUEST, 'source', ''));
$app = (x($_REQUEST, 'source') ? strip_tags($_REQUEST['source']) : ''); $extid = strip_tags(defaults($_REQUEST, 'extid', ''));
$extid = (x($_REQUEST, 'extid') ? strip_tags($_REQUEST['extid']) : ''); $object = defaults($_REQUEST, 'object', '');
$object = (x($_REQUEST, 'object') ? $_REQUEST['object'] : '');
// Ensure that the user id in a thread always stay the same // Ensure that the user id in a thread always stay the same
if (!is_null($parent_user) && in_array($parent_user, [local_user(), 0])) { if (!is_null($parent_user) && in_array($parent_user, [local_user(), 0])) {
@ -181,12 +146,7 @@ function item_post(App $a) {
// Check for multiple posts with the same message id (when the post was created via API) // Check for multiple posts with the same message id (when the post was created via API)
if (($message_id != '') && ($profile_uid != 0)) { if (($message_id != '') && ($profile_uid != 0)) {
$r = q("SELECT * FROM `item` WHERE `uri` = '%s' AND `uid` = %d LIMIT 1", if (dba::exists('item', ['uri' => $message_id, 'uid' => $profile_uid])) {
dbesc($message_id),
intval($profile_uid)
);
if (DBM::is_result($r)) {
logger("Message with URI ".$message_id." already exists for user ".$profile_uid, LOGGER_DEBUG); logger("Message with URI ".$message_id." already exists for user ".$profile_uid, LOGGER_DEBUG);
return; return;
} }
@ -210,23 +170,12 @@ function item_post(App $a) {
$orig_post = null; $orig_post = null;
if ($post_id) { if ($post_id) {
$i = q("SELECT * FROM `item` WHERE `uid` = %d AND `id` = %d LIMIT 1", $orig_post = dba::selectFirst('item', [], ['id' => $post_id]);
intval($profile_uid),
intval($post_id)
);
if (!DBM::is_result($i)) {
killme();
}
$orig_post = $i[0];
} }
$user = null; $user = dba::selectFirst('user', [], ['uid' => $profile_uid]);
if (!DBM::is_result($user) && !$orig_post) {
$r = q("SELECT * FROM `user` WHERE `uid` = %d LIMIT 1", return;
intval($profile_uid)
);
if (DBM::is_result($r)) {
$user = $r[0];
} }
if ($orig_post) { if ($orig_post) {
@ -244,7 +193,7 @@ function item_post(App $a) {
$title = notags(trim($_REQUEST['title'])); $title = notags(trim($_REQUEST['title']));
$body = escape_tags(trim($_REQUEST['body'])); $body = escape_tags(trim($_REQUEST['body']));
$private = $orig_post['private']; $private = $orig_post['private'];
$pubmail_enable = $orig_post['pubmail']; $pubmail_enabled = $orig_post['pubmail'];
$network = $orig_post['network']; $network = $orig_post['network'];
$guid = $orig_post['guid']; $guid = $orig_post['guid'];
$extid = $orig_post['extid']; $extid = $orig_post['extid'];
@ -267,9 +216,7 @@ function item_post(App $a) {
$str_group_deny = $user['deny_gid']; $str_group_deny = $user['deny_gid'];
$str_contact_deny = $user['deny_cid']; $str_contact_deny = $user['deny_cid'];
} else { } else {
// use the posted permissions // use the posted permissions
$str_group_allow = perms2str($_REQUEST['group_allow']); $str_group_allow = perms2str($_REQUEST['group_allow']);
$str_contact_allow = perms2str($_REQUEST['contact_allow']); $str_contact_allow = perms2str($_REQUEST['contact_allow']);
$str_group_deny = perms2str($_REQUEST['group_deny']); $str_group_deny = perms2str($_REQUEST['group_deny']);
@ -312,20 +259,12 @@ function item_post(App $a) {
$private = $parent_item['private']; $private = $parent_item['private'];
} }
$pubmail_enable = ((x($_REQUEST, 'pubmail_enable') && intval($_REQUEST['pubmail_enable']) && !$private) ? 1 : 0); $pubmail_enabled = defaults($_REQUEST, 'pubmail_enable', false) && !$private;
// if using the API, we won't see pubmail_enable - figure out if it should be set // if using the API, we won't see pubmail_enable - figure out if it should be set
if ($api_source && $profile_uid && $profile_uid == local_user() && !$private) { if ($api_source && $profile_uid && $profile_uid == local_user() && !$private) {
$mail_disabled = ((function_exists('imap_open') && !Config::get('system', 'imap_disabled')) ? 0 : 1); if (function_exists('imap_open') && !Config::get('system', 'imap_disabled')) {
if (!$mail_disabled) { $pubmail_enabled = dba::exists('mailacct', ["`uid` = ? AND `server` != ? AND `pubmail`", local_user(), '']);
/// @TODO Check if only pubmail is loaded, * loads all columns
$r = q("SELECT * FROM `mailacct` WHERE `uid` = %d AND `server` != '' LIMIT 1",
intval(local_user())
);
if (DBM::is_result($r) && intval($r[0]['pubmail'])) {
$pubmail_enabled = true;
}
} }
} }
@ -362,8 +301,7 @@ function item_post(App $a) {
if (local_user() && ((local_user() == $profile_uid) || $allow_comment)) { if (local_user() && ((local_user() == $profile_uid) || $allow_comment)) {
$self = true; $self = true;
$r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `self` LIMIT 1", $author = dba::selectFirst('contact', [], ['uid' => local_user(), 'self' => true]);
intval($_SESSION['uid']));
} elseif (remote_user()) { } elseif (remote_user()) {
if (x($_SESSION, 'remote') && is_array($_SESSION['remote'])) { if (x($_SESSION, 'remote') && is_array($_SESSION['remote'])) {
foreach ($_SESSION['remote'] as $v) { foreach ($_SESSION['remote'] as $v) {
@ -374,28 +312,19 @@ function item_post(App $a) {
} }
} }
if ($contact_id) { if ($contact_id) {
$r = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1", $author = dba::selectFirst('contact', [], ['id' => $contact_id]);
intval($contact_id)
);
} }
} }
if (DBM::is_result($r)) { if (DBM::is_result($author)) {
$author = $r[0];
$contact_id = $author['id']; $contact_id = $author['id'];
} }
// get contact info for owner // get contact info for owner
if ($profile_uid == local_user() || $allow_comment) { if ($profile_uid == local_user() || $allow_comment) {
$contact_record = $author; $contact_record = $author;
} else { } else {
$r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `self` LIMIT 1", $contact_record = dba::selectFirst('contact', [], ['uid' => $profile_uid, 'self' => true]);
intval($profile_uid)
);
if (DBM::is_result($r)) {
$contact_record = $r[0];
}
} }
$post_type = notags(trim($_REQUEST['type'])); $post_type = notags(trim($_REQUEST['type']));
@ -414,35 +343,20 @@ function item_post(App $a) {
$tags = get_tags($body); $tags = get_tags($body);
/* // Add a tag if the parent contact is from OStatus (This will notify them during delivery)
* add a statusnet style reply tag if the original post was from there if ($parent) {
* and we are replying, and there isn't one already if ($thr_parent_contact['network'] == NETWORK_OSTATUS) {
*/ $contact = '@[url=' . $thr_parent_contact['url'] . ']' . $thr_parent_contact['nick'] . '[/url]';
if ($parent && ($parent_contact['network'] == NETWORK_OSTATUS)) { if (!in_array($contact, $tags)) {
$contact = '@[url=' . $parent_contact['url'] . ']' . $parent_contact['nick'] . '[/url]'; $tags[] = $contact;
if (!in_array($contact, $tags)) {
$body = $contact . ' ' . $body;
$tags[] = $contact;
}
$toplevel_contact = "";
$toplevel_parent = q("SELECT `contact`.* FROM `contact`
INNER JOIN `item` ON `item`.`contact-id` = `contact`.`id` AND `contact`.`url` = `item`.`author-link`
WHERE `item`.`id` = `item`.`parent` AND `item`.`parent` = %d", intval($parent));
if (DBM::is_result($toplevel_parent)) {
if (!empty($toplevel_parent[0]['addr'])) {
$toplevel_contact = '@' . $toplevel_parent[0]['addr'];
} else {
$toplevel_contact = '@' . $toplevel_parent[0]['nick'] . '+' . $toplevel_parent[0]['id'];
} }
} else {
$toplevel_parent = q("SELECT `author-link`, `author-name` FROM `item` WHERE `id` = `parent` AND `parent` = %d", intval($parent));
$toplevel_contact = '@[url=' . $toplevel_parent[0]['author-link'] . ']' . $toplevel_parent[0]['author-name'] . '[/url]';
} }
if (!in_array($toplevel_contact, $tags)) { if ($parent_contact['network'] == NETWORK_OSTATUS) {
$tags[] = $toplevel_contact; $contact = '@[url=' . $parent_contact['url'] . ']' . $parent_contact['nick'] . '[/url]';
if (!in_array($contact, $tags)) {
$tags[] = $contact;
}
} }
} }
@ -528,6 +442,7 @@ function item_post(App $a) {
$match = null; $match = null;
/// @todo these lines should be moved to Model/Photo
if (!$preview && preg_match_all("/\[img([\=0-9x]*?)\](.*?)\[\/img\]/",$body,$match)) { if (!$preview && preg_match_all("/\[img([\=0-9x]*?)\](.*?)\[\/img\]/",$body,$match)) {
$images = $match[2]; $images = $match[2];
if (count($images)) { if (count($images)) {
@ -543,29 +458,20 @@ function item_post(App $a) {
if (!strlen($image_uri)) { if (!strlen($image_uri)) {
continue; continue;
} }
// Ensure to only modify photos that you own
$srch = '<' . intval($original_contact_id) . '>'; $srch = '<' . intval($original_contact_id) . '>';
$r = q("SELECT `id` FROM `photo` WHERE `allow_cid` = '%s' AND `allow_gid` = '' AND `deny_cid` = '' AND `deny_gid` = '' $condition = ['allow_cid' => $srch, 'allow_gid' => '', 'deny_cid' => '', 'deny_gid' => '',
AND `resource-id` = '%s' AND `uid` = %d LIMIT 1", 'resource-id' => $image_uri, 'uid' => $profile_uid];
dbesc($srch), if (!dba::exists('photo', $condition)) {
dbesc($image_uri),
intval($profile_uid)
);
if (!DBM::is_result($r)) {
continue; continue;
} }
$r = q("UPDATE `photo` SET `allow_cid` = '%s', `allow_gid` = '%s', `deny_cid` = '%s', `deny_gid` = '%s' $fields = ['allow_cid' => $str_contact_allow, 'allow_gid' => $str_group_allow,
WHERE `resource-id` = '%s' AND `uid` = %d AND `album` = '%s' ", 'deny_cid' => $str_contact_deny, 'deny_gid' => $str_group_deny];
dbesc($str_contact_allow), $condition = ['resource-id' => $image_uri, 'uid' => $profile_uid, 'album' => t('Wall Photos')];
dbesc($str_group_allow), dba::update('photo', $fields, $condition);
dbesc($str_contact_deny),
dbesc($str_group_deny),
dbesc($image_uri),
intval($profile_uid),
dbesc(t('Wall Photos'))
);
} }
} }
} }
@ -576,25 +482,24 @@ function item_post(App $a) {
*/ */
$match = false; $match = false;
/// @todo these lines should be moved to Model/Attach (Once it exists)
if (!$preview && preg_match_all("/\[attachment\](.*?)\[\/attachment\]/", $body, $match)) { if (!$preview && preg_match_all("/\[attachment\](.*?)\[\/attachment\]/", $body, $match)) {
$attaches = $match[1]; $attaches = $match[1];
if (count($attaches)) { if (count($attaches)) {
foreach ($attaches as $attach) { foreach ($attaches as $attach) {
$r = q("SELECT * FROM `attach` WHERE `uid` = %d AND `id` = %d LIMIT 1", // Ensure to only modify attachments that you own
intval($profile_uid), $srch = '<' . intval($original_contact_id) . '>';
intval($attach)
); $condition = ['allow_cid' => $srch, 'allow_gid' => '', 'deny_cid' => '', 'deny_gid' => '',
if (DBM::is_result($r)) { 'id' => $attach];
$r = q("UPDATE `attach` SET `allow_cid` = '%s', `allow_gid` = '%s', `deny_cid` = '%s', `deny_gid` = '%s' if (!dba::exists('attach', $condition)) {
WHERE `uid` = %d AND `id` = %d", continue;
dbesc($str_contact_allow),
dbesc($str_group_allow),
dbesc($str_contact_deny),
dbesc($str_group_deny),
intval($profile_uid),
intval($attach)
);
} }
$fields = ['allow_cid' => $str_contact_allow, 'allow_gid' => $str_group_allow,
'deny_cid' => $str_contact_deny, 'deny_gid' => $str_group_deny];
$condition = ['id' => $attach];
dba::update('attach', $fields, $condition);
} }
} }
} }
@ -637,15 +542,15 @@ function item_post(App $a) {
if (preg_match_all('/(\[attachment\]([0-9]+)\[\/attachment\])/',$body,$match)) { if (preg_match_all('/(\[attachment\]([0-9]+)\[\/attachment\])/',$body,$match)) {
foreach ($match[2] as $mtch) { foreach ($match[2] as $mtch) {
$r = q("SELECT `id`,`filename`,`filesize`,`filetype` FROM `attach` WHERE `uid` = %d AND `id` = %d LIMIT 1", $fields = ['id', 'filename', 'filesize', 'filetype'];
intval($profile_uid), $attachment = dba::selectFirst('attach', $fields, ['id' => $mtch]);
intval($mtch) if (DBM::is_result($attachment)) {
);
if (DBM::is_result($r)) {
if (strlen($attachments)) { if (strlen($attachments)) {
$attachments .= ','; $attachments .= ',';
} }
$attachments .= '[attach]href="' . System::baseUrl() . '/attach/' . $r[0]['id'] . '" length="' . $r[0]['filesize'] . '" type="' . $r[0]['filetype'] . '" title="' . (($r[0]['filename']) ? $r[0]['filename'] : '') . '"[/attach]'; $attachments .= '[attach]href="' . System::baseUrl() . '/attach/' . $attachment['id'] .
'" length="' . $attachment['filesize'] . '" type="' . $attachment['filetype'] .
'" title="' . ($attachment['filename'] ? $attachment['filename'] : '') . '"[/attach]';
} }
$body = str_replace($match[1],'',$body); $body = str_replace($match[1],'',$body);
} }
@ -670,15 +575,15 @@ function item_post(App $a) {
// even if the post arrived via API we are considering that it // even if the post arrived via API we are considering that it
// originated on this site by default for determining relayability. // originated on this site by default for determining relayability.
$origin = (x($_REQUEST, 'origin') ? intval($_REQUEST['origin']) : 1); $origin = intval(defaults($_REQUEST, 'origin', 1));
$notify_type = ($parent ? 'comment-new' : 'wall-new'); $notify_type = ($parent ? 'comment-new' : 'wall-new');
$uri = ($message_id ? $message_id : item_new_uri($a->get_hostname(), $profile_uid, $guid)); $uri = ($message_id ? $message_id : item_new_uri($a->get_hostname(), $profile_uid, $guid));
// Fallback so that we alway have a parent uri // Fallback so that we alway have a parent uri
if (!$parent_uri || !$parent) { if (!$thr_parent_uri || !$parent) {
$parent_uri = $uri; $thr_parent_uri = $uri;
} }
$datarray = []; $datarray = [];
@ -719,10 +624,13 @@ function item_post(App $a) {
$datarray['deny_cid'] = $str_contact_deny; $datarray['deny_cid'] = $str_contact_deny;
$datarray['deny_gid'] = $str_group_deny; $datarray['deny_gid'] = $str_group_deny;
$datarray['private'] = $private; $datarray['private'] = $private;
$datarray['pubmail'] = $pubmail_enable; $datarray['pubmail'] = $pubmail_enabled;
$datarray['attach'] = $attachments; $datarray['attach'] = $attachments;
$datarray['bookmark'] = intval($bookmark); $datarray['bookmark'] = intval($bookmark);
$datarray['parent-uri'] = $parent_uri;
// This is not a bug. The item store function changes 'parent-uri' to 'thr-parent' and fetches 'parent-uri' new. (We should change this)
$datarray['parent-uri'] = $thr_parent_uri;
$datarray['postopts'] = $postopts; $datarray['postopts'] = $postopts;
$datarray['origin'] = $origin; $datarray['origin'] = $origin;
$datarray['moderated'] = false; $datarray['moderated'] = false;