From af85e498ceb768beba04df743036abbdf9ef1f2b Mon Sep 17 00:00:00 2001 From: Dean Townsley Date: Sat, 8 Jun 2019 10:11:02 -0500 Subject: [PATCH 1/3] expand permission check to remote array This check was preventing multiple private images from different users on the same server from loading on the same page. It was only checking for permission for the single id returned by the remote_user() function rather than the multiple possible autheniticated id's stored in the remote arry session variable. --- src/Util/Security.php | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/src/Util/Security.php b/src/Util/Security.php index d1e668e0d8..0680bc08c1 100644 --- a/src/Util/Security.php +++ b/src/Util/Security.php @@ -120,9 +120,21 @@ class Security extends BaseObject */ if (!$remote_verified) { - if (DBA::exists('contact', ['id' => $remote_user, 'uid' => $owner_id, 'blocked' => false])) { + $cid = 0; + + if (!empty($_SESSION['remote'])) { + foreach ($_SESSION['remote'] as $visitor) { + Logger::log("this remote array entry is".$visitor); + if ($visitor['uid'] == $owner_id) { + $cid = $visitor['cid']; + break; + } + } + } + + if ($cid && DBA::exists('contact', ['id' => $cid, 'uid' => $owner_id, 'blocked' => false])) { $remote_verified = true; - $groups = Group::getIdsByContactId($remote_user); + $groups = Group::getIdsByContactId($cid); } } @@ -140,9 +152,9 @@ class Security extends BaseObject AND ( allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) ) ", - intval($remote_user), + intval($cid), DBA::escape($gs), - intval($remote_user), + intval($cid), DBA::escape($gs) ); } From 5c93db4097f77e7a45fcf4d61afe2ee07066311f Mon Sep 17 00:00:00 2001 From: Dean Townsley Date: Sat, 8 Jun 2019 20:23:12 -0500 Subject: [PATCH 2/3] remove leftover logging --- src/Util/Security.php | 1 - 1 file changed, 1 deletion(-) diff --git a/src/Util/Security.php b/src/Util/Security.php index 0680bc08c1..90e90d8508 100644 --- a/src/Util/Security.php +++ b/src/Util/Security.php @@ -124,7 +124,6 @@ class Security extends BaseObject if (!empty($_SESSION['remote'])) { foreach ($_SESSION['remote'] as $visitor) { - Logger::log("this remote array entry is".$visitor); if ($visitor['uid'] == $owner_id) { $cid = $visitor['cid']; break; From 19e99f7e8198fd74c5cd6bff19b361b09c3408af Mon Sep 17 00:00:00 2001 From: Dean Townsley Date: Sat, 8 Jun 2019 20:24:51 -0500 Subject: [PATCH 3/3] Use accessing function for session variable --- src/Util/Security.php | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/src/Util/Security.php b/src/Util/Security.php index 90e90d8508..1c934d6fe6 100644 --- a/src/Util/Security.php +++ b/src/Util/Security.php @@ -122,12 +122,10 @@ class Security extends BaseObject if (!$remote_verified) { $cid = 0; - if (!empty($_SESSION['remote'])) { - foreach ($_SESSION['remote'] as $visitor) { - if ($visitor['uid'] == $owner_id) { - $cid = $visitor['cid']; - break; - } + foreach (\Friendica\Core\Session::get('remote', []) as $visitor) { + if ($visitor['uid'] == $owner_id) { + $cid = $visitor['cid']; + break; } }