mexon/friendica
1
0
Fork 0
Code Pull requests Activity

Merge branch 'master' of git://github.com/friendika/friendika

Browse source
This commit is contained in:
root 2010-12-08 06:54:13 +01:00
parent af48dbec7f a42b9ea3de
commit a96da92571
17 changed files with 315 additions and 109 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
boot.php
View file

@ -2,7 +2,7 @@
set_time_limit(0); set_time_limit(0);
define ( 'BUILD_ID', 1021 ); define ( 'BUILD_ID', 1022 );
define ( 'DFRN_PROTOCOL_VERSION', '2.0' ); define ( 'DFRN_PROTOCOL_VERSION', '2.0' );
define ( 'EOL', "<br />\r\n" ); define ( 'EOL', "<br />\r\n" );
@ -518,16 +518,29 @@ function random_string() {
return(hash('sha256',uniqid(rand(),true))); return(hash('sha256',uniqid(rand(),true)));
}} }}
// This is our primary input filter. The high bit hack only involved some old /**
// IE browser, forget which. * This is our primary input filter.
// Use this on any text input where angle chars are not valid or permitted *
// They will be replaced with safer brackets. This may be filtered further * The high bit hack only involved some old IE browser, forget which (IE5/Mac?)
// if these are not allowed either. * that had an XSS attack vector due to stripping the high-bit on an 8-bit character
* after cleansing, and angle chars with the high bit set could get through as markup.
*
* This is now disabled because it was interfering with some legitimate unicode sequences
* and hopefully there aren't a lot of those browsers left.
*
* Use this on any text input where angle chars are not valid or permitted
* They will be replaced with safer brackets. This may be filtered further
* if these are not allowed either.
*
*/
if(! function_exists('notags')) { if(! function_exists('notags')) {
function notags($string) { function notags($string) {
// protect against :<> with high-bit set
return(str_replace(array("<",">","\xBA","\xBC","\xBE"), array('[',']','','',''), $string)); return(str_replace(array("<",">"), array('[',']'), $string));
// High-bit filter no longer used
// return(str_replace(array("<",">","\xBA","\xBC","\xBE"), array('[',']','','',''), $string));
}} }}
// use this on "body" or "content" input where angle chars shouldn't be removed, // use this on "body" or "content" input where angle chars shouldn't be removed,

3
database.sql
View file

@ -187,6 +187,7 @@ CREATE TABLE IF NOT EXISTS `item` (
`allow_gid` mediumtext NOT NULL, `allow_gid` mediumtext NOT NULL,
`deny_cid` mediumtext NOT NULL, `deny_cid` mediumtext NOT NULL,
`deny_gid` mediumtext NOT NULL, `deny_gid` mediumtext NOT NULL,
`private` tinyint(1) NOT NULL DEFAULT '0',
`visible` tinyint(1) NOT NULL DEFAULT '0', `visible` tinyint(1) NOT NULL DEFAULT '0',
`unseen` tinyint(1) NOT NULL DEFAULT '1', `unseen` tinyint(1) NOT NULL DEFAULT '1',
`deleted` tinyint(1) NOT NULL DEFAULT '0', `deleted` tinyint(1) NOT NULL DEFAULT '0',
@ -319,7 +320,9 @@ CREATE TABLE IF NOT EXISTS `profile` (
CREATE TABLE IF NOT EXISTS `profile_check` ( CREATE TABLE IF NOT EXISTS `profile_check` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT, `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`uid` int(10) unsigned NOT NULL, `uid` int(10) unsigned NOT NULL,
`cid` int(10) unsigned NOT NULL,
`dfrn_id` char(255) NOT NULL, `dfrn_id` char(255) NOT NULL,
`sec` char(255) NOT NULL,
`expire` int(11) NOT NULL, `expire` int(11) NOT NULL,
PRIMARY KEY (`id`) PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8; ) ENGINE=MyISAM DEFAULT CHARSET=utf8;

24
include/dba.php
View file

@ -1,12 +1,15 @@
<?php <?php
// MySQL database class /**
// *
// For debugging, insert 'dbg(x);' anywhere in the program flow. * MySQL database class
// x = 1: display db success/failure following content *
// x = 2: display full queries following content * For debugging, insert 'dbg(1);' anywhere in the program flow.
// x = 3: display full queries using echo; which will mess up display * dbg(0); will turn it off. Logging is performed at LOGGER_DATA level.
// really bad but will return output in stubborn cases. * When logging, all binary info is converted to text and html entities are escaped so that
* the debugging stream is safe to view within both terminals and web pages.
*
*/
if(! class_exists('dba')) { if(! class_exists('dba')) {
class dba { class dba {
@ -51,6 +54,13 @@ class dba {
logger('dba: ' . $str ); logger('dba: ' . $str );
} }
else { else {
/*
* If dbfail.out exists, we will write any failed calls directly to it,
* regardless of any logging that may or may nor be in effect.
* These usually indicate SQL syntax errors that need to be resolved.
*/
if($result === false) { if($result === false) {
logger('dba: ' . printable($sql) . ' returned false.'); logger('dba: ' . printable($sql) . ' returned false.');
if(file_exists('dbfail.out')) if(file_exists('dbfail.out'))

18
include/items.php
View file

@ -367,6 +367,12 @@ function get_atom_elements($feed,$item) {
else else
$res['last-child'] = 0; $res['last-child'] = 0;
$private = $item->get_item_tags(NAMESPACE_DFRN,'private');
if($private && $private[0]['data'] == 1)
$res['private'] = 1;
else
$res['private'] = 0;
$rawcreated = $item->get_item_tags(SIMPLEPIE_NAMESPACE_ATOM_10,'published'); $rawcreated = $item->get_item_tags(SIMPLEPIE_NAMESPACE_ATOM_10,'published');
if($rawcreated) if($rawcreated)
$res['created'] = unxmlify($rawcreated[0]['data']); $res['created'] = unxmlify($rawcreated[0]['data']);
@ -549,6 +555,7 @@ function item_store($arr) {
$arr['allow_gid'] = ((x($arr,'allow_gid')) ? trim($arr['allow_gid']) : ''); $arr['allow_gid'] = ((x($arr,'allow_gid')) ? trim($arr['allow_gid']) : '');
$arr['deny_cid'] = ((x($arr,'deny_cid')) ? trim($arr['deny_cid']) : ''); $arr['deny_cid'] = ((x($arr,'deny_cid')) ? trim($arr['deny_cid']) : '');
$arr['deny_gid'] = ((x($arr,'deny_gid')) ? trim($arr['deny_gid']) : ''); $arr['deny_gid'] = ((x($arr,'deny_gid')) ? trim($arr['deny_gid']) : '');
$arr['private'] = ((x($arr,'private')) ? intval($arr['private']) : 0 );
$arr['body'] = ((x($arr,'body')) ? escape_tags(trim($arr['body'])) : ''); $arr['body'] = ((x($arr,'body')) ? escape_tags(trim($arr['body'])) : '');
// The content body has been through a lot of filtering and transport escaping by now. // The content body has been through a lot of filtering and transport escaping by now.
@ -631,15 +638,21 @@ function item_store($arr) {
if($arr['parent-uri'] === $arr['uri']) if($arr['parent-uri'] === $arr['uri'])
$parent_id = $current_post; $parent_id = $current_post;
if(strlen($allow_cid) || strlen($allow_gid) || strlen($deny_cid) || strlen($deny_gid))
$private = 1;
else
$private = $arr['private'];
// Set parent id - and also make sure to inherit the parent's ACL's. // Set parent id - and also make sure to inherit the parent's ACL's.
$r = q("UPDATE `item` SET `parent` = %d, `allow_cid` = '%s', `allow_gid` = '%s', $r = q("UPDATE `item` SET `parent` = %d, `allow_cid` = '%s', `allow_gid` = '%s',
`deny_cid` = '%s', `deny_gid` = '%s' WHERE `id` = %d LIMIT 1", `deny_cid` = '%s', `deny_gid` = '%s', `private` = %d WHERE `id` = %d LIMIT 1",
intval($parent_id), intval($parent_id),
dbesc($allow_cid), dbesc($allow_cid),
dbesc($allow_gid), dbesc($allow_gid),
dbesc($deny_cid), dbesc($deny_cid),
dbesc($deny_gid), dbesc($deny_gid),
intval($private),
intval($current_post) intval($current_post)
); );
@ -1256,6 +1269,9 @@ function atom_entry($item,$type,$author,$owner,$comment = false) {
if($item['coord']) if($item['coord'])
$o .= '<georss:point>' . xmlify($item['coord']) . '</georss:point>' . "\r\n"; $o .= '<georss:point>' . xmlify($item['coord']) . '</georss:point>' . "\r\n";
if(($item['private']) || strlen($item['allow_cid']) || strlen($item['allow_gid']) || strlen($item['deny_cid']) || strlen($item['deny_gid']))
$o .= '<dfrn:private>1</dfrn:private>' . "\r\n";
$verb = construct_verb($item); $verb = construct_verb($item);
$o .= '<as:verb>' . xmlify($verb) . '</as:verb>' . "\r\n"; $o .= '<as:verb>' . xmlify($verb) . '</as:verb>' . "\r\n";
$actobj = construct_activity_object($item); $actobj = construct_activity_object($item);

11
index.php
View file

@ -12,8 +12,12 @@ $install = ((file_exists('.htconfig.php')) ? false : true);
@include(".htconfig.php"); @include(".htconfig.php");
if(isset($lang) && strlen($lang)) // get language setting directly from system variables, bypassing get_config()
load_translation_table($lang); // as database may not yet be configured.
$lang = ((isset($a->config['system']['language'])) ? $a->config['system']['language'] : 'en');
load_translation_table($lang);
require_once("dba.php"); require_once("dba.php");
$db = new dba($db_host, $db_user, $db_pass, $db_data, $install); $db = new dba($db_host, $db_user, $db_pass, $db_data, $install);
@ -122,9 +126,6 @@ $a->page['htmlhead'] = replace_macros($a->page['htmlhead'], array(
$page = $a->page; $page = $a->page;
$profile = $a->profile; $profile = $a->profile;
$lang = get_config('system','language');
if($lang === false)
$lang = 'en';
header("Content-type: text/html; charset=utf-8"); header("Content-type: text/html; charset=utf-8");

138
mod/dfrn_poll.php
View file

@ -7,12 +7,12 @@ require_once('include/auth.php');
function dfrn_poll_init(&$a) { function dfrn_poll_init(&$a) {
$dfrn_id = ((x($_GET,'dfrn_id')) ? $_GET['dfrn_id'] : ''); $dfrn_id = ((x($_GET,'dfrn_id')) ? $_GET['dfrn_id'] : '');
$type = ((x($_GET,'type')) ? $_GET['type'] : ''); $type = ((x($_GET,'type')) ? $_GET['type'] : 'data');
$last_update = ((x($_GET,'last_update')) ? $_GET['last_update'] : ''); $last_update = ((x($_GET,'last_update')) ? $_GET['last_update'] : '');
$destination_url = ((x($_GET,'destination_url')) ? $_GET['destination_url'] : ''); $destination_url = ((x($_GET,'destination_url')) ? $_GET['destination_url'] : '');
$sec = ((x($_GET,'sec')) ? intval($_GET['sec']) : 0); $challenge = ((x($_GET,'challenge')) ? $_GET['challenge'] : '');
$dfrn_version = ((x($_GET,'dfrn_version')) ? (float) $_GET['dfrn_version'] : 0); $sec = ((x($_GET,'sec')) ? $_GET['sec'] : '');
$dfrn_version = ((x($_GET,'dfrn_version')) ? (float) $_GET['dfrn_version'] : 2.0);
$direction = (-1); $direction = (-1);
@ -29,7 +29,7 @@ function dfrn_poll_init(&$a) {
killme(); killme();
} }
if((isset($type)) && ($type === 'profile')) { if(($type === 'profile') && (! strlen($sec))) {
$sql_extra = ''; $sql_extra = '';
switch($direction) { switch($direction) {
@ -61,6 +61,8 @@ function dfrn_poll_init(&$a) {
$s = fetch_url($r[0]['poll'] . '?dfrn_id=' . $my_id . '&type=profile-check'); $s = fetch_url($r[0]['poll'] . '?dfrn_id=' . $my_id . '&type=profile-check');
logger("dfrn_poll: old profile returns " . $s, LOGGER_DATA);
if(strlen($s)) { if(strlen($s)) {
$xml = simplexml_load_string($s); $xml = simplexml_load_string($s);
@ -85,7 +87,62 @@ function dfrn_poll_init(&$a) {
} }
if((isset($type)) && ($type === 'profile-check')) { if($type === 'profile-check') {
if((strlen($challenge)) && (strlen($sec))) {
q("DELETE FROM `profile_check` WHERE `expire` < " . intval(time()));
$r = q("SELECT * FROM `profile_check` WHERE `sec` = '%s' ORDER BY `expire` DESC LIMIT 1",
dbesc($sec)
);
if(! count($r)) {
xml_status(3);
// NOTREACHED
}
$orig_id = $r[0]['dfrn_id'];
if(strpos(':',$orig_id))
$orig_id = substr($orig_id,2);
$c = q("SELECT * FROM `contact` WHERE `id` = %d LIMIT 1",
intval($r[0]['cid'])
);
if(! count($c)) {
xml_status(3);
}
$contact = $c[0];
$sent_dfrn_id = hex2bin($dfrn_id);
$challenge = hex2bin($challenge);
$final_dfrn_id = '';
if(($contact['duplex']) && strlen($contact['prvkey'])) {
openssl_private_decrypt($sent_dfrn_id,$final_dfrn_id,$contact['prvkey']);
openssl_private_decrypt($challenge,$decoded_challenge,$contact['prvkey']);
}
else {
openssl_public_decrypt($sent_dfrn_id,$final_dfrn_id,$contact['pubkey']);
openssl_public_decrypt($challenge,$decoded_challenge,$contact['pubkey']);
}
$final_dfrn_id = substr($final_dfrn_id, 0, strpos($final_dfrn_id, '.'));
if(strpos($final_dfrn_id,':') == 1)
$final_dfrn_id = substr($final_dfrn_id,2);
if($final_dfrn_id != $orig_id) {
// did not decode properly - cannot trust this site
xml_status(3);
}
header("Content-type: text/xml");
echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?><dfrn_poll><status>0</status><challenge>$decoded_challenge</challenge><sec>$sec</sec></dfrn_poll>";
killme();
// NOTREACHED
}
else {
// old protocol
switch($direction) { switch($direction) {
case 1: case 1:
@ -97,6 +154,8 @@ function dfrn_poll_init(&$a) {
default: default:
break; break;
} }
q("DELETE FROM `profile_check` WHERE `expire` < " . intval(time())); q("DELETE FROM `profile_check` WHERE `expire` < " . intval(time()));
$r = q("SELECT * FROM `profile_check` WHERE `dfrn_id` = '%s' ORDER BY `expire` DESC", $r = q("SELECT * FROM `profile_check` WHERE `dfrn_id` = '%s' ORDER BY `expire` DESC",
dbesc($dfrn_id)); dbesc($dfrn_id));
@ -107,7 +166,7 @@ function dfrn_poll_init(&$a) {
xml_status(0); xml_status(0);
return; // NOTREACHED return; // NOTREACHED
} }
}
} }
@ -118,7 +177,7 @@ function dfrn_poll_post(&$a) {
$dfrn_id = ((x($_POST,'dfrn_id')) ? $_POST['dfrn_id'] : ''); $dfrn_id = ((x($_POST,'dfrn_id')) ? $_POST['dfrn_id'] : '');
$challenge = ((x($_POST,'challenge')) ? $_POST['challenge'] : ''); $challenge = ((x($_POST,'challenge')) ? $_POST['challenge'] : '');
$url = ((x($_POST,'url')) ? $_POST['url'] : ''); $url = ((x($_POST,'url')) ? $_POST['url'] : '');
$dfrn_version = ((x($_POST,'dfrn_version')) ? (float) $_POST['dfrn_version'] : 0); $dfrn_version = ((x($_POST,'dfrn_version')) ? (float) $_POST['dfrn_version'] : 2.0);
$direction = (-1); $direction = (-1);
if(strpos($dfrn_id,':') == 1) { if(strpos($dfrn_id,':') == 1) {
@ -216,8 +275,9 @@ function dfrn_poll_content(&$a) {
$dfrn_id = ((x($_GET,'dfrn_id')) ? $_GET['dfrn_id'] : ''); $dfrn_id = ((x($_GET,'dfrn_id')) ? $_GET['dfrn_id'] : '');
$type = ((x($_GET,'type')) ? $_GET['type'] : 'data'); $type = ((x($_GET,'type')) ? $_GET['type'] : 'data');
$last_update = ((x($_GET,'last_update')) ? $_GET['last_update'] : ''); $last_update = ((x($_GET,'last_update')) ? $_GET['last_update'] : '');
$destination_url = ((x($_GET,'destination_url')) ? $_GET['destination_url'] : '');
$sec = ((x($_GET,'sec')) ? $_GET['sec'] : '');
$dfrn_version = ((x($_GET,'dfrn_version')) ? (float) $_GET['dfrn_version'] : 2.0); $dfrn_version = ((x($_GET,'dfrn_version')) ? (float) $_GET['dfrn_version'] : 2.0);
$sec = ((x($_GET,'sec')) ? intval($_GET['sec']) : 0);
$direction = (-1); $direction = (-1);
if(strpos($dfrn_id,':') == 1) { if(strpos($dfrn_id,':') == 1) {
@ -234,6 +294,7 @@ function dfrn_poll_content(&$a) {
$r = q("DELETE FROM `challenge` WHERE `expire` < " . intval(time())); $r = q("DELETE FROM `challenge` WHERE `expire` < " . intval(time()));
if($type !== 'profile') {
$r = q("INSERT INTO `challenge` ( `challenge`, `dfrn-id`, `expire` , `type`, `last_update` ) $r = q("INSERT INTO `challenge` ( `challenge`, `dfrn-id`, `expire` , `type`, `last_update` )
VALUES( '%s', '%s', '%s', '%s', '%s' ) ", VALUES( '%s', '%s', '%s', '%s', '%s' ) ",
dbesc($hash), dbesc($hash),
@ -242,10 +303,13 @@ function dfrn_poll_content(&$a) {
dbesc($type), dbesc($type),
dbesc($last_update) dbesc($last_update)
); );
}
$sql_extra = ''; $sql_extra = '';
switch($direction) { switch($direction) {
case (-1): case (-1):
if($type === 'profile')
$sql_extra = sprintf(" AND ( `dfrn-id` = '%s' OR `issued-id` = '%s' ) ", dbesc($dfrn_id),dbesc($dfrn_id));
else
$sql_extra = sprintf(" AND `issued-id` = '%s' ", dbesc($dfrn_id)); $sql_extra = sprintf(" AND `issued-id` = '%s' ", dbesc($dfrn_id));
$my_id = $dfrn_id; $my_id = $dfrn_id;
break; break;
@ -262,7 +326,12 @@ function dfrn_poll_content(&$a) {
break; // NOTREACHED break; // NOTREACHED
} }
$r = q("SELECT * FROM `contact` WHERE `blocked` = 0 AND `pending` = 0 $sql_extra LIMIT 1"); $r = q("SELECT `contact`.*, `user`.`username`, `user`.`nickname`
FROM `contact` LEFT JOIN `user` ON `contact`.`uid` = `user`.`uid`
WHERE `contact`.`blocked` = 0 AND `contact`.`pending` = 0
AND `user`.`nickname` = '%s' $sql_extra LIMIT 1",
dbesc($a->argv[1])
);
if(count($r)) { if(count($r)) {
@ -270,7 +339,6 @@ function dfrn_poll_content(&$a) {
$encrypted_id = ''; $encrypted_id = '';
$id_str = $my_id . '.' . mt_rand(1000,9999); $id_str = $my_id . '.' . mt_rand(1000,9999);
if($r[0]['duplex'] && strlen($r[0]['pubkey'])) { if($r[0]['duplex'] && strlen($r[0]['pubkey'])) {
openssl_public_encrypt($hash,$challenge,$r[0]['pubkey']); openssl_public_encrypt($hash,$challenge,$r[0]['pubkey']);
openssl_public_encrypt($id_str,$encrypted_id,$r[0]['pubkey']); openssl_public_encrypt($id_str,$encrypted_id,$r[0]['pubkey']);
@ -287,6 +355,50 @@ function dfrn_poll_content(&$a) {
$status = 1; $status = 1;
} }
if(($type === 'profile') && (strlen($sec))) {
// URL reply
$s = fetch_url($r[0]['poll']
. '?dfrn_id=' . $encrypted_id
. '&type=profile-check'
. '&dfrn_version=' . DFRN_PROTOCOL_VERSION
. '&challenge=' . $challenge
. '&sec=' . $sec
);
logger("dfrn_poll: sec profile: " . $s, LOGGER_DATA);
if(strlen($s) && strstr($s,'<?xml')) {
$xml = simplexml_load_string($s);
logger('dfrn_poll: profile: parsed xml: ' . print_r($xml,true), LOGGER_DATA);
logger('dfrn_poll: secure profile: challenge: ' . $xml->challenge . ' expecting ' . $hash);
logger('dfrn_poll: secure profile: sec: ' . $xml->sec . ' expecting ' . $sec);
if(((int) $xml->status == 0) && ($xml->challenge == $hash) && ($xml->sec == $sec)) {
$_SESSION['authenticated'] = 1;
$_SESSION['visitor_id'] = $r[0]['id'];
notice( $r[0]['username'] . t(' welcomes ') . $r[0]['name'] . EOL);
// Visitors get 1 day session.
$session_id = session_id();
$expire = time() + 86400;
q("UPDATE `session` SET `expire` = '%s' WHERE `sid` = '%s' LIMIT 1",
dbesc($expire),
dbesc($session_id)
);
}
$profile = $r[0]['nickname'];
goaway((strlen($destination_url)) ? $destination_url : $a->get_baseurl() . '/profile/' . $profile);
}
goaway($a->get_baseurl());
// NOTREACHED
}
else {
// XML reply
header("Content-type: text/xml"); header("Content-type: text/xml");
echo '<?xml version="1.0" encoding="UTF-8"?>' . "\r\n" echo '<?xml version="1.0" encoding="UTF-8"?>' . "\r\n"
. '<dfrn_poll>' . "\r\n" . '<dfrn_poll>' . "\r\n"
@ -296,6 +408,8 @@ function dfrn_poll_content(&$a) {
. "\t" . '<challenge>' . $challenge . '</challenge>' . "\r\n" . "\t" . '<challenge>' . $challenge . '</challenge>' . "\r\n"
. '</dfrn_poll>' . "\r\n" ; . '</dfrn_poll>' . "\r\n" ;
killme(); killme();
// NOTREACHED
}
} }
} }

12
mod/display.php
View file

@ -142,8 +142,8 @@ function display_content(&$a) {
&& ($item['id'] != $item['parent'])) && ($item['id'] != $item['parent']))
continue; continue;
$lock = (($item['uid'] == local_user()) && (strlen($item['allow_cid']) || strlen($item['allow_gid']) $lock = ((($item['private']) || (($item['uid'] == local_user()) && (strlen($item['allow_cid']) || strlen($item['allow_gid'])
|| strlen($item['deny_cid']) || strlen($item['deny_gid'])) || strlen($item['deny_cid']) || strlen($item['deny_gid']))))
? '<div class="wall-item-lock"><img src="images/lock_icon.gif" class="lockview" alt="' . t('Private Message') . '" onclick="lockview(event,' . $item['id'] . ');" /></div>' ? '<div class="wall-item-lock"><img src="images/lock_icon.gif" class="lockview" alt="' . t('Private Message') . '" onclick="lockview(event,' . $item['id'] . ');" /></div>'
: '<div class="wall-item-lock"></div>'); : '<div class="wall-item-lock"></div>');
@ -235,6 +235,12 @@ function display_content(&$a) {
$location = '<span class="smalltext">' . $coord . '</span>'; $location = '<span class="smalltext">' . $coord . '</span>';
} }
$indent = (($item['parent'] != $item['item_id']) ? ' comment' : '');
if(strcmp(datetime_convert('UTC','UTC',$item['created']),datetime_convert('UTC','UTC','now - 12 hours')) > 0)
$indent .= ' shiny';
$o .= replace_macros($template,array( $o .= replace_macros($template,array(
'$id' => $item['item_id'], '$id' => $item['item_id'],
'$profile_url' => $profile_link, '$profile_url' => $profile_link,
@ -247,7 +253,7 @@ function display_content(&$a) {
'$ago' => relative_date($item['created']), '$ago' => relative_date($item['created']),
'$lock' => $lock, '$lock' => $lock,
'$location' => $location, '$location' => $location,
'$indent' => (($item['parent'] != $item['item_id']) ? ' comment' : ''), '$indent' => $indent,
'$owner_url' => $owner_url, '$owner_url' => $owner_url,
'$owner_photo' => $owner_photo, '$owner_photo' => $owner_photo,
'$owner_name' => $owner_name, '$owner_name' => $owner_name,

12
mod/item.php
View file

@ -53,6 +53,8 @@ function item_post(&$a) {
$str_group_deny = perms2str($_POST['group_deny']); $str_group_deny = perms2str($_POST['group_deny']);
$str_contact_deny = perms2str($_POST['contact_deny']); $str_contact_deny = perms2str($_POST['contact_deny']);
$private = ((strlen($str_group_allow) || strlen($str_contact_allow) || strlen($str_group_deny) || strlen($str_contact_deny)) ? 1 : 0);
$title = notags(trim($_POST['title'])); $title = notags(trim($_POST['title']));
$body = escape_tags(trim($_POST['body'])); $body = escape_tags(trim($_POST['body']));
$location = notags(trim($_POST['location'])); $location = notags(trim($_POST['location']));
@ -195,8 +197,8 @@ function item_post(&$a) {
$r = q("INSERT INTO `item` (`uid`,`type`,`wall`,`gravity`,`contact-id`,`owner-name`,`owner-link`,`owner-avatar`, $r = q("INSERT INTO `item` (`uid`,`type`,`wall`,`gravity`,`contact-id`,`owner-name`,`owner-link`,`owner-avatar`,
`author-name`, `author-link`, `author-avatar`, `created`, `edited`, `changed`, `uri`, `title`, `body`, `location`, `coord`, `author-name`, `author-link`, `author-avatar`, `created`, `edited`, `changed`, `uri`, `title`, `body`, `location`, `coord`,
`tag`, `inform`, `verb`, `allow_cid`, `allow_gid`, `deny_cid`, `deny_gid`) `tag`, `inform`, `verb`, `allow_cid`, `allow_gid`, `deny_cid`, `deny_gid`, `private` )
VALUES( %d, '%s', %d, %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s' )", VALUES( %d, '%s', %d, %d, %d, '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', %d )",
intval($profile_uid), intval($profile_uid),
dbesc($post_type), dbesc($post_type),
intval($wall), intval($wall),
@ -222,7 +224,8 @@ function item_post(&$a) {
dbesc($str_contact_allow), dbesc($str_contact_allow),
dbesc($str_group_allow), dbesc($str_group_allow),
dbesc($str_contact_deny), dbesc($str_contact_deny),
dbesc($str_group_deny) dbesc($str_group_deny),
intval($private)
); );
$r = q("SELECT `id` FROM `item` WHERE `uri` = '%s' LIMIT 1", $r = q("SELECT `id` FROM `item` WHERE `uri` = '%s' LIMIT 1",
dbesc($uri)); dbesc($uri));
@ -241,12 +244,13 @@ function item_post(&$a) {
// Inherit ACL's from the parent item. // Inherit ACL's from the parent item.
// TODO merge with subsequent UPDATE operation and save a db write // TODO merge with subsequent UPDATE operation and save a db write
$r = q("UPDATE `item` SET `allow_cid` = '%s', `allow_gid` = '%s', `deny_cid` = '%s', `deny_gid` = '%s' $r = q("UPDATE `item` SET `allow_cid` = '%s', `allow_gid` = '%s', `deny_cid` = '%s', `deny_gid` = '%s', `private` = %d
WHERE `id` = %d LIMIT 1", WHERE `id` = %d LIMIT 1",
dbesc($parent_item['allow_cid']), dbesc($parent_item['allow_cid']),
dbesc($parent_item['allow_gid']), dbesc($parent_item['allow_gid']),
dbesc($parent_item['deny_cid']), dbesc($parent_item['deny_cid']),
dbesc($parent_item['deny_gid']), dbesc($parent_item['deny_gid']),
intval($parent_item['private']),
intval($post_id) intval($post_id)
); );

7
mod/lockview.php
View file

@ -22,6 +22,13 @@ function lockview_content(&$a) {
$deny_users = expand_acl($item['deny_cid']); $deny_users = expand_acl($item['deny_cid']);
$deny_groups = expand_acl($item['deny_gid']); $deny_groups = expand_acl($item['deny_gid']);
if(($item['private']) && (! strlen($item['allow_cid'])) && (! strlen($item['allow_gid']))
&& (! strlen($item['deny_cid'])) && (! strlen($item['deny_gid']))) {
echo t('Remote privacy information not available.') . '<br />';
killme();
}
$o = t('Visible to:') . '<br />'; $o = t('Visible to:') . '<br />';
$l = array(); $l = array();

14
mod/network.php
View file

@ -165,11 +165,13 @@ function network_content(&$a, $update = 0) {
if(((activity_match($item['verb'],ACTIVITY_LIKE)) || (activity_match($item['verb'],ACTIVITY_DISLIKE))) && ($item['id'] != $item['parent'])) if(((activity_match($item['verb'],ACTIVITY_LIKE)) || (activity_match($item['verb'],ACTIVITY_DISLIKE))) && ($item['id'] != $item['parent']))
continue; continue;
$lock = (($item['uid'] == local_user()) && (strlen($item['allow_cid']) || strlen($item['allow_gid'])
|| strlen($item['deny_cid']) || strlen($item['deny_gid'])) $lock = ((($item['private']) || (($item['uid'] == local_user()) && (strlen($item['allow_cid']) || strlen($item['allow_gid'])
|| strlen($item['deny_cid']) || strlen($item['deny_gid']))))
? '<div class="wall-item-lock"><img src="images/lock_icon.gif" class="lockview" alt="' . t('Private Message') . '" onclick="lockview(event,' . $item['id'] . ');" /></div>' ? '<div class="wall-item-lock"><img src="images/lock_icon.gif" class="lockview" alt="' . t('Private Message') . '" onclick="lockview(event,' . $item['id'] . ');" /></div>'
: '<div class="wall-item-lock"></div>'); : '<div class="wall-item-lock"></div>');
// Top-level wall post not written by the wall owner (wall-to-wall) // Top-level wall post not written by the wall owner (wall-to-wall)
// First figure out who owns it. // First figure out who owns it.
@ -274,6 +276,12 @@ function network_content(&$a, $update = 0) {
$location = '<span class="smalltext">' . $coord . '</span>'; $location = '<span class="smalltext">' . $coord . '</span>';
} }
$indent = (($item['parent'] != $item['item_id']) ? ' comment' : '');
if(strcmp(datetime_convert('UTC','UTC',$item['created']),datetime_convert('UTC','UTC','now - 12 hours')) > 0)
$indent .= ' shiny';
// Build the HTML // Build the HTML
$o .= replace_macros($template,array( $o .= replace_macros($template,array(
@ -288,7 +296,7 @@ function network_content(&$a, $update = 0) {
'$ago' => relative_date($item['created']), '$ago' => relative_date($item['created']),
'$lock' => $lock, '$lock' => $lock,
'$location' => $location, '$location' => $location,
'$indent' => (($item['parent'] != $item['item_id']) ? ' comment' : ''), '$indent' => $indent,
'$owner_url' => $owner_url, '$owner_url' => $owner_url,
'$owner_photo' => $owner_photo, '$owner_photo' => $owner_photo,
'$owner_name' => $owner_name, '$owner_name' => $owner_name,

2
mod/photos.php
View file

@ -644,7 +644,7 @@ function photos_content(&$a) {
$owner_uid = $a->data['user']['uid']; $owner_uid = $a->data['user']['uid'];
$community_page = (($a->data['user']['page-flags'] == PAGE_COMMUNITY) ? true : false); $community_page = (($a->data['user']['page-flags'] == PAGE_COMMUNITY) ? true : false);
dbg(1);
if((local_user()) && (local_user() == $owner_uid)) if((local_user()) && (local_user() == $owner_uid))
$can_post = true; $can_post = true;
else { else {

11
mod/profile.php
View file

@ -305,8 +305,8 @@ function profile_content(&$a, $update = 0) {
&& ($item['id'] != $item['parent'])) && ($item['id'] != $item['parent']))
continue; continue;
$lock = (($item['uid'] == local_user()) && (strlen($item['allow_cid']) || strlen($item['allow_gid']) $lock = ((($item['private']) || (($item['uid'] == local_user()) && (strlen($item['allow_cid']) || strlen($item['allow_gid'])
|| strlen($item['deny_cid']) || strlen($item['deny_gid'])) || strlen($item['deny_cid']) || strlen($item['deny_gid']))))
? '<div class="wall-item-lock"><img src="images/lock_icon.gif" class="lockview" alt="' . t('Private Message') . '" onclick="lockview(event,' . $item['id'] . ');" /></div>' ? '<div class="wall-item-lock"><img src="images/lock_icon.gif" class="lockview" alt="' . t('Private Message') . '" onclick="lockview(event,' . $item['id'] . ');" /></div>'
: '<div class="wall-item-lock"></div>'); : '<div class="wall-item-lock"></div>');
@ -376,6 +376,11 @@ function profile_content(&$a, $update = 0) {
$location = '<span class="smalltext">' . $coord . '</span>'; $location = '<span class="smalltext">' . $coord . '</span>';
} }
$indent = (($item['parent'] != $item['item_id']) ? ' comment' : '');
if(strcmp(datetime_convert('UTC','UTC',$item['created']),datetime_convert('UTC','UTC','now - 12 hours')) > 0)
$indent .= ' shiny';
$o .= replace_macros($template,array( $o .= replace_macros($template,array(
'$id' => $item['item_id'], '$id' => $item['item_id'],
'$profile_url' => $profile_link, '$profile_url' => $profile_link,
@ -387,7 +392,7 @@ function profile_content(&$a, $update = 0) {
'$ago' => relative_date($item['created']), '$ago' => relative_date($item['created']),
'$lock' => $lock, '$lock' => $lock,
'$location' => $location, '$location' => $location,
'$indent' => (($item['parent'] != $item['item_id']) ? ' comment' : ''), '$indent' => $indent,
'$drop' => $drop, '$drop' => $drop,
'$like' => $like, '$like' => $like,
'$vote' => $likebuttons, '$vote' => $likebuttons,

23
mod/redir.php
View file

@ -4,10 +4,13 @@ function redir_init(&$a) {
if((! local_user()) || (! ($a->argc == 2)) || (! intval($a->argv[1]))) if((! local_user()) || (! ($a->argc == 2)) || (! intval($a->argv[1])))
goaway($a->get_baseurl()); goaway($a->get_baseurl());
$cid = $a->argv[1];
$r = q("SELECT `network`, `issued-id`, `dfrn-id`, `duplex`, `poll` FROM `contact` WHERE `id` = %d AND `uid` = %d LIMIT 1", $r = q("SELECT `network`, `issued-id`, `dfrn-id`, `duplex`, `poll` FROM `contact` WHERE `id` = %d AND `uid` = %d LIMIT 1",
intval($a->argv[1]), intval($cid),
intval(local_user()) intval(local_user())
); );
if((! count($r)) || ($r[0]['network'] !== 'dfrn')) if((! count($r)) || ($r[0]['network'] !== 'dfrn'))
goaway($a->get_baseurl()); goaway($a->get_baseurl());
@ -21,12 +24,20 @@ function redir_init(&$a) {
$orig_id = $r[0]['dfrn-id']; $orig_id = $r[0]['dfrn-id'];
$dfrn_id = '0:' . $orig_id; $dfrn_id = '0:' . $orig_id;
} }
q("INSERT INTO `profile_check` ( `uid`, `dfrn_id`, `expire`)
VALUES( %d, '%s', %d )", $sec = random_string();
intval($_SESSION['uid']),
q("INSERT INTO `profile_check` ( `uid`, `cid`, `dfrn_id`, `sec`, `expire`)
VALUES( %d, %s, '%s', '%s', %d )",
intval(local_user()),
intval($cid),
dbesc($dfrn_id), dbesc($dfrn_id),
intval(time() + 45)); dbesc($sec),
intval(time() + 45)
);
goaway ($r[0]['poll'] . '?dfrn_id=' . $dfrn_id goaway ($r[0]['poll'] . '?dfrn_id=' . $dfrn_id
. '&dfrn_version=' . DFRN_PROTOCOL_VERSION . '&type=profile&sec=1'); // . '&dfrn_version=' . DFRN_PROTOCOL_VERSION . '&type=profile');
. '&dfrn_version=' . DFRN_PROTOCOL_VERSION . '&type=profile&sec=' . $sec);
} }

26
mod/register.php
View file

@ -30,18 +30,13 @@ function register_post(&$a) {
break; break;
} }
if(x($_POST,'username'))
$username = notags(trim($_POST['username']));
if(x($_POST['nickname']))
$nickname = notags(trim($_POST['nickname']));
if(x($_POST,'email'))
$email = notags(trim($_POST['email']));
if(x($_POST,'openid_url'))
$openid_url = notags(trim($_POST['openid_url']));
$username = ((x($_POST,'username')) ? notags(trim($_POST['username'])) : '');
$nickname = ((x($_POST,'nickname')) ? notags(trim($_POST['nickname'])) : '');
$email = ((x($_POST,'email')) ? notags(trim($_POST['email'])) : '');
$openid_url = ((x($_POST,'openid_url')) ? notags(trim($_POST['openid_url'])) : '');
$photo = ((x($_POST,'photo')) ? notags(trim($_POST['photo'])) : ''); $photo = ((x($_POST,'photo')) ? notags(trim($_POST['photo'])) : '');
if((! x($username)) || (! x($email)) || (! x($nickname))) { if((! x($username)) || (! x($email)) || (! x($nickname))) {
if($openid_url) { if($openid_url) {
$_SESSION['register'] = 1; $_SESSION['register'] = 1;
@ -71,14 +66,15 @@ function register_post(&$a) {
// I don't really like having this rule, but it cuts down // I don't really like having this rule, but it cuts down
// on the number of auto-registrations by Russian spammers // on the number of auto-registrations by Russian spammers
// $no_utf = get_config('system','no_utf'); // Using preg_match was completely unreliable, due to mixed UTF-8 regex support
// $no_utf = get_config('system','no_utf');
// $pat = (($no_utf) ? '/^[a-zA-Z]* [a-zA-Z]*$/' : '/^\p{L}* \p{L}*$/u' );
// $pat = (($no_utf) ? '/^[a-zA-Z]* [a-zA-Z]*$/' : '/^\p{L}* \p{L}*$/u' ); // So now we are just looking for a space in the full name.
// $loose_reg = get_config('system','no_regfullname'); $loose_reg = get_config('system','no_regfullname');
if((! $loose_reg) && (! strpos($username,' ')))
// if((! $loose_reg) && (! preg_match($pat,$username))) $err .= t("That doesn\'t appear to be your full \x28First Last\x29 name.") . EOL;
// $err .= t('That doesn\'t appear to be your full name.') . EOL;
if(! allowed_email($email)) if(! allowed_email($email))
$err .= t('Your email domain is not among those allowed on this site.') . EOL; $err .= t('Your email domain is not among those allowed on this site.') . EOL;

7
update.php
View file

@ -186,3 +186,10 @@ function update_1020() {
q("ALTER TABLE `profile` DROP `showwith`"); q("ALTER TABLE `profile` DROP `showwith`");
q("ALTER TABLE `item` ADD `thr-parent` CHAR( 255 ) NOT NULL AFTER `parent-uri` "); q("ALTER TABLE `item` ADD `thr-parent` CHAR( 255 ) NOT NULL AFTER `parent-uri` ");
} }
function update_1021() {
q("ALTER TABLE `profile_check` ADD `sec` CHAR( 255 ) NOT NULL AFTER `dfrn_id` ");
q("ALTER TABLE `profile_check` ADD `cid` INT(10) unsigned NOT NULL DEFAULT '0' AFTER `uid`");
q("ALTER TABLE `item` ADD `private` TINYINT( 1 ) NOT NULL DEFAULT '0' AFTER `deny_gid` ");
}

2
view/en/profile.php
View file

@ -48,7 +48,7 @@
<?php } ?> <?php } ?>
<?php if(strlen($profile['pubkey'])) { ?> <?php if(strlen($profile['pubkey'])) { ?>
<div class="key" style="display: none"><?php echo $profile['pubkey']; ?></div> <div class="key" style="display: none;"><?php echo $profile['pubkey']; ?></div>
<?php } ?> <?php } ?>
</div> </div>
<?php } ?> <?php } ?>

5
view/theme/default/style.css
View file

@ -71,6 +71,11 @@ code {
blockquote:before { blockquote:before {
content: '>> '; content: '>> ';
} }
.shiny {
border-color: orange !important;
}
.nav-login-link { .nav-login-link {
float: right; float: right;
margin-left: 0px; margin-left: 0px;