Merge pull request #7678 from annando/remote-rework

Reworked the remote authentication
2019-09-30 09:18:43 -04:00 · 2019-09-30 09:18:43 -04:00 · 2333526b8a
parent 4d749efcee 6c1d29cf2b
commit 2333526b8a
38 changed files with 289 additions and 590 deletions
--- a/boot.php
+++ b/boot.php
@ -23,6 +23,7 @@ use Friendica\Core\Config;
 use Friendica\Core\PConfig;
 use Friendica\Core\Protocol;
 use Friendica\Core\System;
 use Friendica\Core\Session;
 use Friendica\Database\DBA;
 use Friendica\Model\Contact;
 use Friendica\Model\Term;
@ -413,28 +414,13 @@ function public_contact()
 *
 * @return int|bool visitor_id or false
 */
-function remote_user($uid = null)
+function remote_user()
 {
 	// You cannot be both local and remote.
 	// Unncommented by rabuzarus because remote authentication to local
 	// profiles wasn't possible anymore (2018-04-12).
 //	if (local_user()) {
 //		return false;
 //	}
 	if (empty($_SESSION['authenticated'])) {
 		return false;
 	}
-	if (!is_null($uid) && !empty($_SESSION['remote'])) {
+	if (!empty($_SESSION['visitor_id'])) {
 		/// @todo replace it with this:
 		// if (!empty($_SESSION['remote'][$uid])) ...
 		foreach ($_SESSION['remote'] as $visitor) {
 			if ($visitor['uid'] == $uid) {
 				return $visitor['cid'];
 			}
 		}
 	} elseif (is_null($uid) && !empty($_SESSION['visitor_id'])) {
 		return intval($_SESSION['visitor_id']);
 	}
--- a/include/conversation.php
+++ b/include/conversation.php
@ -365,7 +365,7 @@ function localize_item(&$item)
 		'network' => $item['author-network'], 'url' => $item['author-link']];
 	// Only create a redirection to a magic link when logged in
-	if (!empty($item['plink']) && (local_user() || remote_user())) {
+	if (!empty($item['plink']) && Session::isAuthenticated()) {
 		$item['plink'] = Contact::magicLinkByContact($author, $item['plink']);
 	}
 }
--- a/include/items.php
+++ b/include/items.php
@ -13,6 +13,7 @@ use Friendica\Core\PConfig;
 use Friendica\Core\Protocol;
 use Friendica\Core\Renderer;
 use Friendica\Core\System;
 use Friendica\Core\Session;
 use Friendica\Database\DBA;
 use Friendica\Model\Item;
 use Friendica\Protocol\DFRN;
@ -326,7 +327,7 @@ function drop_items(array $items)
 {
 	$uid = 0;
-	if (!local_user() && !remote_user()) {
+	if (!Session::isAuthenticated()) {
 		return;
 	}
@ -362,14 +363,8 @@ function drop_item($id, $return = '')
 	$contact_id = 0;
 	// check if logged in user is either the author or owner of this item
-
+	if (Session::getRemoteContactID($item['uid']) == $item['contact-id']) {
-	if (!empty($_SESSION['remote'])) {
+		$contact_id = $item['contact-id'];
 		foreach ($_SESSION['remote'] as $visitor) {
 			if ($visitor['uid'] == $item['uid'] && $visitor['cid'] == $item['contact-id']) {
 				$contact_id = $visitor['cid'];
 				break;
 			}
 		}
 	}
 	if ((local_user() == $item['uid']) || $contact_id) {
--- a/mod/cal.php
+++ b/mod/cal.php
@ -14,6 +14,7 @@ use Friendica\Core\Config;
 use Friendica\Core\L10n;
 use Friendica\Core\Renderer;
 use Friendica\Core\System;
 use Friendica\Core\Session;
 use Friendica\Database\DBA;
 use Friendica\Model\Contact;
 use Friendica\Model\Event;
@ -26,11 +27,7 @@ use Friendica\Util\Temporal;
 function cal_init(App $a)
 {
-	if ($a->argc > 1) {
+	if (Config::get('system', 'block_public') && !Session::isAuthenticated()) {
 		DFRN::autoRedir($a, $a->argv[1]);
 	}
 	if (Config::get('system', 'block_public') && !local_user() && !remote_user()) {
 		throw new \Friendica\Network\HTTPException\ForbiddenException(L10n::t('Access denied.'));
 	}
@ -113,18 +110,11 @@ function cal_content(App $a)
 	$owner_uid = intval($a->data['user']['uid']);
 	$nick = $a->data['user']['nickname'];
-	if (!empty($_SESSION['remote']) && is_array($_SESSION['remote'])) {
+	if (!empty(Session::getRemoteContactID($a->profile['profile_uid']))) {
-		foreach ($_SESSION['remote'] as $v) {
+		$contact_id = Session::getRemoteContactID($a->profile['profile_uid']);
 			if ($v['uid'] == $a->profile['profile_uid']) {
 				$contact_id = $v['cid'];
 				break;
 			}
 		}
 	}
 	$groups = [];
 	if ($contact_id) {
 		$groups = Group::getIdsByContactId($contact_id);
 		$r = q("SELECT * FROM `contact` WHERE `id` = %d AND `uid` = %d LIMIT 1",
 			intval($contact_id),
 			intval($a->profile['profile_uid'])
@ -142,7 +132,7 @@ function cal_content(App $a)
 	}
 	// get the permissions
-	$sql_perms = Item::getPermissionsSQLByUserId($owner_uid, $remote_contact, $groups);
+	$sql_perms = Item::getPermissionsSQLByUserId($owner_uid);
 	// we only want to have the events of the profile owner
 	$sql_extra = " AND `event`.`cid` = 0 " . $sql_perms;
--- a/mod/community.php
+++ b/mod/community.php
@ -29,7 +29,7 @@ function community_content(App $a, $update = 0)
 {
 	$o = '';
-	if (Config::get('system', 'block_public') && !local_user() && !remote_user()) {
+	if (Config::get('system', 'block_public') && !Session::isAuthenticated()) {
 		notice(L10n::t('Public access denied.') . EOL);
 		return;
 	}
--- a/mod/dfrn_poll.php
+++ b/mod/dfrn_poll.php
@ -9,6 +9,7 @@ use Friendica\Core\Config;
 use Friendica\Core\L10n;
 use Friendica\Core\Logger;
 use Friendica\Core\System;
 use Friendica\Core\Session;
 use Friendica\Database\DBA;
 use Friendica\Module\Login;
 use Friendica\Protocol\DFRN;
@ -49,7 +50,7 @@ function dfrn_poll_init(App $a)
 	$hidewall = false;
 	if (($dfrn_id === '') && empty($_POST['dfrn_id'])) {
-		if (Config::get('system', 'block_public') && !local_user() && !remote_user()) {
+		if (Config::get('system', 'block_public') && !Session::isAuthenticated()) {
 			throw new \Friendica\Network\HTTPException\ForbiddenException();
 		}
@ -110,17 +111,14 @@ function dfrn_poll_init(App $a)
 				if ((int)$xml->status === 1) {
 					$_SESSION['authenticated'] = 1;
 					if (empty($_SESSION['remote'])) {
 						$_SESSION['remote'] = [];
 					}
 					$_SESSION['remote'][$r[0]['uid']] = ['cid' => $r[0]['id'], 'uid' => $r[0]['uid']];
 					$_SESSION['visitor_id'] = $r[0]['id'];
 					$_SESSION['visitor_home'] = $r[0]['url'];
 					$_SESSION['visitor_handle'] = $r[0]['addr'];
 					$_SESSION['visitor_visiting'] = $r[0]['uid'];
 					$_SESSION['my_url'] = $r[0]['url'];
 					Session::setVisitorsContacts();
 					if (!$quiet) {
 						info(L10n::t('%1$s welcomes %2$s', $r[0]['username'], $r[0]['name']) . EOL);
 					}
@ -517,15 +515,13 @@ function dfrn_poll_content(App $a)
 				if (((int) $xml->status == 0) && ($xml->challenge == $hash) && ($xml->sec == $sec)) {
 					$_SESSION['authenticated'] = 1;
 					if (empty($_SESSION['remote'])) {
 						$_SESSION['remote'] = [];
 					}
 					$_SESSION['remote'][$r[0]['uid']] = ['cid' => $r[0]['id'], 'uid' => $r[0]['uid']];
 					$_SESSION['visitor_id'] = $r[0]['id'];
 					$_SESSION['visitor_home'] = $r[0]['url'];
 					$_SESSION['visitor_visiting'] = $r[0]['uid'];
 					$_SESSION['my_url'] = $r[0]['url'];
 					Session::setVisitorsContacts();
 					if (!$quiet) {
 						info(L10n::t('%1$s welcomes %2$s', $r[0]['username'], $r[0]['name']) . EOL);
 					}
--- a/mod/dfrn_request.php
+++ b/mod/dfrn_request.php
@ -19,6 +19,7 @@ use Friendica\Core\Logger;
 use Friendica\Core\Protocol;
 use Friendica\Core\Renderer;
 use Friendica\Core\System;
 use Friendica\Core\Session;
 use Friendica\Database\DBA;
 use Friendica\Model\Contact;
 use Friendica\Model\Group;
@ -592,7 +593,7 @@ function dfrn_request_content(App $a)
 		exit();
 	} else {
 		// Normal web request. Display our user's introduction form.
-		if ((Config::get('system', 'block_public')) && (!local_user()) && (!remote_user())) {
+		if (Config::get('system', 'block_public') && !Session::isAuthenticated()) {
 			if (!Config::get('system', 'local_block')) {
 				notice(L10n::t('Public access denied.') . EOL);
 				return;
--- a/mod/display.php
+++ b/mod/display.php
@ -14,6 +14,7 @@ use Friendica\Core\Logger;
 use Friendica\Core\Protocol;
 use Friendica\Core\Renderer;
 use Friendica\Core\System;
 use Friendica\Core\Session;
 use Friendica\Database\DBA;
 use Friendica\Model\Contact;
 use Friendica\Model\Group;
@ -31,7 +32,7 @@ function display_init(App $a)
 		Objects::rawContent();
 	}
-	if (Config::get('system', 'block_public') && !local_user() && !remote_user()) {
+	if (Config::get('system', 'block_public') && !Session::isAuthenticated()) {
 		return;
 	}
@ -52,9 +53,11 @@ function display_init(App $a)
 			if (DBA::isResult($item)) {
 				$nick = $a->user["nickname"];
 			}
 		}
 		// Is this item private but could be visible to the remove visitor?
-		} elseif (remote_user()) {
+		if (!DBA::isResult($item) && remote_user()) {
-			$item = Item::selectFirst($fields, ['guid' => $a->argv[1], 'private' => 1]);
+			$item = Item::selectFirst($fields, ['guid' => $a->argv[1], 'private' => 1, 'origin' => true]);
 			if (DBA::isResult($item)) {
 				if (!Contact::isFollower(remote_user(), $item['uid'])) {
 					$item = null;
@ -84,10 +87,6 @@ function display_init(App $a)
 		displayShowFeed($item['id'], $a->argc > 3 && $a->argv[3] == 'conversation.atom');
 	}
 	if ($a->argc >= 3 && $nick == 'feed-item') {
 		displayShowFeed($item['id'], $a->argc > 3 && $a->argv[3] == 'conversation.atom');
 	}
 	if (!empty($_SERVER['HTTP_ACCEPT']) && strstr($_SERVER['HTTP_ACCEPT'], 'application/atom+xml')) {
 		Logger::log('Directly serving XML for id '.$item["id"], Logger::DEBUG);
 		displayShowFeed($item["id"], false);
@ -102,7 +101,7 @@ function display_init(App $a)
 	if (strstr(Strings::normaliseLink($profiledata["url"]), Strings::normaliseLink(System::baseUrl()))) {
 		$nickname = str_replace(Strings::normaliseLink(System::baseUrl())."/profile/", "", Strings::normaliseLink($profiledata["url"]));
-		if (($nickname != $a->user["nickname"])) {
+		if ($nickname != $a->user["nickname"]) {
 			$profile = DBA::fetchFirst("SELECT `profile`.`uid` AS `profile_uid`, `profile`.* , `contact`.`avatar-date` AS picdate, `user`.* FROM `profile`
 				INNER JOIN `contact` on `contact`.`uid` = `profile`.`uid` INNER JOIN `user` ON `profile`.`uid` = `user`.`uid`
 				WHERE `user`.`nickname` = ? AND `profile`.`is-default` AND `contact`.`self` LIMIT 1",
@ -197,7 +196,7 @@ function display_fetchauthor($a, $item)
 function display_content(App $a, $update = false, $update_uid = 0)
 {
-	if (Config::get('system','block_public') && !local_user() && !remote_user()) {
+	if (Config::get('system','block_public') && !Session::isAuthenticated()) {
 		throw new HTTPException\ForbiddenException(L10n::t('Public access denied.'));
 	}
@ -229,8 +228,10 @@ function display_content(App $a, $update = false, $update_uid = 0)
 					$item_parent = $item["parent"];
 					$item_parent_uri = $item['parent-uri'];
 				}
-			} elseif (remote_user()) {
+			}
-				$item = Item::selectFirst($fields, ['guid' => $a->argv[1], 'private' => 1]);
+
 			if (($item_parent == 0) && remote_user()) {
 				$item = Item::selectFirst($fields, ['guid' => $a->argv[1], 'private' => 1, 'origin' => true]);
 				if (DBA::isResult($item) && Contact::isFollower(remote_user(), $item['uid'])) {
 					$item_id = $item["id"];
 					$item_parent = $item["parent"];
@ -269,8 +270,6 @@ function display_content(App $a, $update = false, $update_uid = 0)
 				['$alternate' => $alternate,
 					'$conversation' => $conversation]);
 	$groups = [];
 	$remote_cid = null;
 	$is_remote_contact = false;
 	$item_uid = local_user();
@ -279,24 +278,18 @@ function display_content(App $a, $update = false, $update_uid = 0)
 		if (DBA::isResult($parent)) {
 			$a->profile['uid'] = defaults($a->profile, 'uid', $parent['uid']);
 			$a->profile['profile_uid'] = defaults($a->profile, 'profile_uid', $parent['uid']);
-			$is_remote_contact = Contact::isFollower(remote_user(), $a->profile['profile_uid']);
+			$is_remote_contact = Session::getRemoteContactID($a->profile['profile_uid']);
 			if ($is_remote_contact) {
-				$cdata = Contact::getPublicAndUserContacID(remote_user(), $a->profile['profile_uid']);
+				$item_uid = $parent['uid'];
 				if (!empty($cdata['user'])) {
 					$groups = Group::getIdsByContactId($cdata['user']);
 					$remote_cid = $cdata['user'];
 					$item_uid = $parent['uid'];
 				}
 			}
 		}
 	}
 	$page_contact = DBA::selectFirst('contact', [], ['self' => true, 'uid' => $a->profile['uid']]);
 	if (DBA::isResult($page_contact)) {
 		$a->page_contact = $page_contact;
 	}
 	$is_owner = (local_user() && (in_array($a->profile['profile_uid'], [local_user(), 0])) ? true : false);
 	if (!empty($a->profile['hidewall']) && !$is_owner && !$is_remote_contact) {
@ -318,7 +311,7 @@ function display_content(App $a, $update = false, $update_uid = 0)
 		];
 		$o .= status_editor($a, $x, 0, true);
 	}
-	$sql_extra = Item::getPermissionsSQLByUserId($a->profile['profile_uid'], $is_remote_contact, $groups, $remote_cid);
+	$sql_extra = Item::getPermissionsSQLByUserId($a->profile['profile_uid']);
 	if (local_user() && (local_user() == $a->profile['profile_uid'])) {
 		$condition = ['parent-uri' => $item_parent_uri, 'uid' => local_user(), 'unseen' => true];
@ -333,7 +326,7 @@ function display_content(App $a, $update = false, $update_uid = 0)
 	$condition = ["`id` = ? AND `item`.`uid` IN (0, ?) " . $sql_extra, $item_id, $item_uid];
 	$fields = ['parent-uri', 'body', 'title', 'author-name', 'author-avatar', 'plink', 'author-id', 'owner-id', 'contact-id'];
-	$item = Item::selectFirstForUser(local_user(), $fields, $condition);
+	$item = Item::selectFirstForUser($a->profile['profile_uid'], $fields, $condition);
 	if (!DBA::isResult($item)) {
 		throw new HTTPException\NotFoundException(L10n::t('The requested item doesn\'t exist or has been deleted.'));
--- a/mod/hcard.php
+++ b/mod/hcard.php
@ -6,13 +6,14 @@ use Friendica\App;
 use Friendica\Core\Config;
 use Friendica\Core\L10n;
 use Friendica\Core\System;
 use Friendica\Core\Session;
 use Friendica\Model\Contact;
 use Friendica\Model\Profile;
 use Friendica\Model\User;
 function hcard_init(App $a)
 {
-	$blocked = Config::get('system', 'block_public') && !local_user() && !remote_user();
+	$blocked = Config::get('system', 'block_public') && !Session::isAuthenticated();
 	if ($a->argc > 1) {
 		$which = $a->argv[1];
--- a/mod/item.php
+++ b/mod/item.php
@ -25,6 +25,7 @@ use Friendica\Core\L10n;
 use Friendica\Core\Logger;
 use Friendica\Core\Protocol;
 use Friendica\Core\System;
 use Friendica\Core\Session;
 use Friendica\Core\Worker;
 use Friendica\Database\DBA;
 use Friendica\Model\Attach;
@ -45,7 +46,7 @@ use Friendica\Worker\Delivery;
 require_once __DIR__ . '/../include/items.php';
 function item_post(App $a) {
-	if (!local_user() && !remote_user()) {
+	if (!Session::isAuthenticated()) {
 		return 0;
 	}
@ -348,18 +349,8 @@ function item_post(App $a) {
 	if (local_user() && ((local_user() == $profile_uid) || $allow_comment)) {
 		$self = true;
 		$author = DBA::selectFirst('contact', [], ['uid' => local_user(), 'self' => true]);
-	} elseif (remote_user()) {
+	} elseif (!empty(Session::getRemoteContactID($profile_uid))) {
-		if (!empty($_SESSION['remote']) && is_array($_SESSION['remote'])) {
+		$author = DBA::selectFirst('contact', [], ['id' => Session::getRemoteContactID($profile_uid)]);
 			foreach ($_SESSION['remote'] as $v) {
 				if ($v['uid'] == $profile_uid) {
 					$contact_id = $v['cid'];
 					break;
 				}
 			}
 		}
 		if ($contact_id) {
 			$author = DBA::selectFirst('contact', [], ['id' => $contact_id]);
 		}
 	}
 	if (DBA::isResult($author)) {
@ -870,7 +861,7 @@ function item_post_return($baseurl, $api_source, $return_path)
 function item_content(App $a)
 {
-	if (!local_user() && !remote_user()) {
+	if (!Session::isAuthenticated()) {
 		return;
 	}
--- a/mod/photos.php
+++ b/mod/photos.php
@ -15,6 +15,7 @@ use Friendica\Core\L10n;
 use Friendica\Core\Logger;
 use Friendica\Core\Renderer;
 use Friendica\Core\System;
 use Friendica\Core\Session;
 use Friendica\Database\DBA;
 use Friendica\Model\Contact;
 use Friendica\Model\Group;
@ -35,11 +36,7 @@ use Friendica\Util\XML;
 function photos_init(App $a) {
-	if ($a->argc > 1) {
+	if (Config::get('system', 'block_public') && !Session::isAuthenticated()) {
 		DFRN::autoRedir($a, $a->argv[1]);
 	}
 	if (Config::get('system', 'block_public') && !local_user() && !remote_user()) {
 		return;
 	}
@ -73,7 +70,7 @@ function photos_init(App $a) {
 		$albums = Photo::getAlbums($a->data['user']['uid']);
-		$albums_visible = ((intval($a->data['user']['hidewall']) && !local_user() && !remote_user()) ? false : true);
+		$albums_visible = ((intval($a->data['user']['hidewall']) && !Session::isAuthenticated()) ? false : true);
 		// add various encodings to the array so we can just loop through and pick them out in a template
 		$ret = ['success' => false];
@ -88,7 +85,7 @@ function photos_init(App $a) {
 			$ret['albums'] = [];
 			foreach ($albums as $k => $album) {
 				//hide profile photos to others
-				if (!$is_owner && !remote_user() && ($album['album'] == L10n::t('Profile Photos')))
+				if (!$is_owner && !Session::getRemoteContactID($a->profile_uid) && ($album['album'] == L10n::t('Profile Photos')))
 					continue;
 				$entry = [
 					'text'      => $album['album'],
@ -154,15 +151,10 @@ function photos_post(App $a)
 	if (local_user() && (local_user() == $page_owner_uid)) {
 		$can_post = true;
-	} elseif ($community_page && remote_user($page_owner_uid)) {
+	} elseif ($community_page && !empty(Session::getRemoteContactID($page_owner_uid))) {
-		$contact_id = remote_user($page_owner_uid);
+		$contact_id = Session::getRemoteContactID($page_owner_uid);
-
+		$can_post = true;
-		if ($contact_id > 0) {
+		$visitor = $contact_id;
 			if (DBA::exists('contact', ['id' => $contact_id, 'uid' => $page_owner_uid, 'blocked' => false, 'pending' => false])) {
 				$can_post = true;
 				$visitor = $contact_id;
 			}
 		}
 	}
 	if (!$can_post) {
@ -837,7 +829,7 @@ function photos_content(App $a)
 	// photos/name/image/xxxxx/edit
 	// photos/name/image/xxxxx/drop
-	if (Config::get('system', 'block_public') && !local_user() && !remote_user()) {
+	if (Config::get('system', 'block_public') && !Session::isAuthenticated()) {
 		notice(L10n::t('Public access denied.') . EOL);
 		return;
 	}
@ -883,50 +875,24 @@ function photos_content(App $a)
 	if (local_user() && (local_user() == $owner_uid)) {
 		$can_post = true;
-	} else {
+	} elseif ($community_page && !empty(Session::getRemoteContactID($owner_uid))) {
-		if ($community_page && remote_user()) {
+		$contact_id = Session::getRemoteContactID($owner_uid);
-			if (is_array($_SESSION['remote'])) {
+		$contact = DBA::selectFirst('contact', [], ['id' => $contact_id, 'uid' => $owner_uid, 'blocked' => false, 'pending' => false]);
 				foreach ($_SESSION['remote'] as $v) {
 					if ($v['uid'] == $owner_uid) {
 						$contact_id = $v['cid'];
 						break;
 					}
 				}
 			}
-			if ($contact_id) {
+		if (DBA::isResult($contact)) {
-				$contact = DBA::selectFirst('contact', [], ['id' => $contact_id, 'uid' => $owner_uid, 'blocked' => false, 'pending' => false]);
+			$can_post = true;
-
+			$remote_contact = true;
-				if (DBA::isResult($contact)) {
+			$visitor = $contact_id;
 					$can_post = true;
 					$remote_contact = true;
 					$visitor = $contact_id;
 				}
 			}
 		}
 	}
 	$groups = [];
 	// perhaps they're visiting - but not a community page, so they wouldn't have write access
-	if (remote_user() && !$visitor) {
+	if (!empty(Session::getRemoteContactID($owner_uid)) && !$visitor) {
-		$contact_id = 0;
+		$contact_id = Session::getRemoteContactID($owner_uid);
 		if (is_array($_SESSION['remote'])) {
 			foreach ($_SESSION['remote'] as $v) {
 				if ($v['uid'] == $owner_uid) {
 					$contact_id = $v['cid'];
 					break;
 				}
 			}
 		}
-		if ($contact_id) {
+		$contact = DBA::selectFirst('contact', [], ['id' => $contact_id, 'uid' => $owner_uid, 'blocked' => false, 'pending' => false]);
 			$groups = Group::getIdsByContactId($contact_id);
-			$contact = DBA::selectFirst('contact', [], ['id' => $contact_id, 'uid' => $owner_uid, 'blocked' => false, 'pending' => false]);
+		$remote_contact = DBA::isResult($contact);
 			$remote_contact = DBA::isResult($contact);
 		}
 	}
 	if (!$remote_contact && local_user()) {
@ -939,7 +905,7 @@ function photos_content(App $a)
 		return;
 	}
-	$sql_extra = Security::getPermissionsSQLByUserId($owner_uid, $remote_contact, $groups);
+	$sql_extra = Security::getPermissionsSQLByUserId($owner_uid);
 	$o = "";
@ -1598,7 +1564,7 @@ function photos_content(App $a)
 		$twist = false;
 		foreach ($r as $rr) {
 			//hide profile photos to others
-			if (!$is_owner && !remote_user() && ($rr['album'] == L10n::t('Profile Photos'))) {
+			if (!$is_owner && !Session::getRemoteContactID($owner_uid) && ($rr['album'] == L10n::t('Profile Photos'))) {
 				continue;
 			}
--- a/mod/redir.php
+++ b/mod/redir.php
@ -35,7 +35,7 @@ function redir_init(App $a) {
 		$contact_url = $contact['url'];
-		if ((!local_user() && !remote_user()) // Visitors (not logged in or not remotes) can't authenticate.
+		if (!Session::isAuthenticated() // Visitors (not logged in or not remotes) can't authenticate.
 			|| (!empty($a->contact['id']) && $a->contact['id'] == $cid)) // Local user is already authenticated.
 		{
 			$a->redirect(defaults($url, $contact_url));
@ -66,34 +66,16 @@ function redir_init(App $a) {
 			// with the local contact. Otherwise the local user would ask the local contact
 			// for authentification everytime he/she is visiting a profile page of the local
 			// contact.
-			if ($host == $remotehost
+			if (($host == $remotehost) && (Session::getRemoteContactID(Session::get('visitor_visiting')) == Session::get('visitor_id'))) {
-				&& !empty($_SESSION['remote'])
+				// Remote user is already authenticated.
-				&& is_array($_SESSION['remote']))
+				$target_url = defaults($url, $contact_url);
-			{
+				Logger::log($contact['name'] . " is already authenticated. Redirecting to " . $target_url, Logger::DEBUG);
-				foreach ($_SESSION['remote'] as $v) {
+				$a->redirect($target_url);
 					if (!empty($v['uid']) && !empty($v['cid']) &&
 					    $v['uid'] == Session::get('visitor_visiting') &&
 					    $v['cid'] == Session::get('visitor_id')) {
 						// Remote user is already authenticated.
 						$target_url = defaults($url, $contact_url);
 						Logger::log($contact['name'] . " is already authenticated. Redirecting to " . $target_url, Logger::DEBUG);
 						$a->redirect($target_url);
 					}
 				}
 			}
 		}
 		// When the remote page does support OWA, then we enforce the use of it
 		$basepath = Contact::getBasepath($contact_url);
 		if (Strings::compareLink($basepath, System::baseUrl())) {
 			$use_magic = true;
 		} else {
 			$serverret = Network::curl($basepath . '/magic');
 			$use_magic = $serverret->isSuccess();
 		}
 		// Doing remote auth with dfrn.
-		if (local_user() && !$use_magic && (!empty($contact['dfrn-id']) || !empty($contact['issued-id'])) && empty($contact['pending'])) {
+		if (local_user() && (!empty($contact['dfrn-id']) || !empty($contact['issued-id'])) && empty($contact['pending'])) {
 			$dfrn_id = $orig_id = (($contact['issued-id']) ? $contact['issued-id'] : $contact['dfrn-id']);
 			if ($contact['duplex'] && $contact['issued-id']) {
@ -148,23 +130,6 @@ function redir_magic($a, $cid, $url)
 		Logger::info('Got my url', ['visitor' => $visitor]);
 	}
 	/// @todo Most likely these lines are superfluous. We will remove them in the next version
 	if (empty($visitor) && remote_user()) {
 		$contact = DBA::selectFirst('contact', ['url'], ['id' => remote_user()]);
 		if (!empty($contact['url'])) {
 			$visitor = $contact['url'];
 			Logger::info('Got remote user', ['visitor' => $visitor]);
 		}
 	}
 	if (empty($visitor) && local_user()) {
 		$contact = DBA::selectFirst('contact', ['url'], ['id' => local_user()]);
 		if (!empty($contact['url'])) {
 			$visitor = $contact['url'];
 			Logger::info('Got local user', ['visitor' => $visitor]);
 		}
 	}
 	$contact = DBA::selectFirst('contact', ['url'], ['id' => $cid]);
 	if (!DBA::isResult($contact)) {
 		Logger::info('Contact not found', ['id' => $cid]);
--- a/mod/search.php
+++ b/mod/search.php
@ -11,6 +11,7 @@ use Friendica\Core\Cache;
 use Friendica\Core\Config;
 use Friendica\Core\L10n;
 use Friendica\Core\Logger;
 use Friendica\Core\Session;
 use Friendica\Core\Renderer;
 use Friendica\Database\DBA;
 use Friendica\Model\Item;
@ -83,18 +84,18 @@ function search_init(App $a) {
 }
 function search_content(App $a) {
-	if (Config::get('system','block_public') && !local_user() && !remote_user()) {
+	if (Config::get('system','block_public') && !Session::isAuthenticated()) {
 		notice(L10n::t('Public access denied.') . EOL);
 		return;
 	}
-	if (Config::get('system','local_search') && !local_user() && !remote_user()) {
+	if (Config::get('system','local_search') && !Session::isAuthenticated()) {
 		$e = new \Friendica\Network\HTTPException\ForbiddenException(L10n::t("Only logged in users are permitted to perform a search."));
 		$e->httpdesc = L10n::t("Public access denied.");
 		throw $e;
 	}
-	if (Config::get('system','permit_crawling') && !local_user() && !remote_user()) {
+	if (Config::get('system','permit_crawling') && !Session::isAuthenticated()) {
 		// Default values:
 		// 10 requests are "free", after the 11th only a call per minute is allowed
--- a/mod/subthread.php
+++ b/mod/subthread.php
@ -15,7 +15,7 @@ use Friendica\Util\XML;
 function subthread_content(App $a) {
-	if (!local_user() && !remote_user()) {
+	if (!Session::isAuthenticated()) {
 		return;
 	}
--- a/mod/tagger.php
+++ b/mod/tagger.php
@ -7,6 +7,7 @@ use Friendica\Core\Hook;
 use Friendica\Core\L10n;
 use Friendica\Core\Logger;
 use Friendica\Core\System;
 use Friendica\Core\Session;
 use Friendica\Core\Worker;
 use Friendica\Database\DBA;
 use Friendica\Model\Item;
@ -16,7 +17,7 @@ use Friendica\Worker\Delivery;
 function tagger_content(App $a) {
-	if (!local_user() && !remote_user()) {
+	if (!Session::isAuthenticated()) {
 		return;
 	}
--- a/mod/videos.php
+++ b/mod/videos.php
@ -10,6 +10,7 @@ use Friendica\Core\Config;
 use Friendica\Core\L10n;
 use Friendica\Core\Renderer;
 use Friendica\Core\System;
 use Friendica\Core\Session;
 use Friendica\Database\DBA;
 use Friendica\Model\Attach;
 use Friendica\Model\Contact;
@ -22,11 +23,7 @@ use Friendica\Util\Security;
 function videos_init(App $a)
 {
-	if ($a->argc > 1) {
+	if (Config::get('system', 'block_public') && !Session::isAuthenticated()) {
 		DFRN::autoRedir($a, $a->argv[1]);
 	}
 	if ((Config::get('system', 'block_public')) && (!local_user()) && (!remote_user())) {
 		return;
 	}
@ -114,7 +111,7 @@ function videos_content(App $a)
 	// videos/name/video/xxxxx/edit
-	if ((Config::get('system', 'block_public')) && (!local_user()) && (!remote_user())) {
+	if (Config::get('system', 'block_public') && !Session::isAuthenticated()) {
 		notice(L10n::t('Public access denied.') . EOL);
 		return;
 	}
@ -154,64 +151,25 @@ function videos_content(App $a)
 	if ((local_user()) && (local_user() == $owner_uid)) {
 		$can_post = true;
-	} elseif ($community_page && remote_user()) {
+	} elseif ($community_page && !empty(Session::getRemoteContactID($owner_uid))) {
-		if (!empty($_SESSION['remote'])) {
+		$contact_id = Session::getRemoteContactID($owner_uid);
-			foreach ($_SESSION['remote'] as $v) {
+		$can_post = true;
-				if ($v['uid'] == $owner_uid) {
+		$remote_contact = true;
-					$contact_id = $v['cid'];
+		$visitor = $contact_id;
 					break;
 				}
 			}
 		}
 		if ($contact_id > 0) {
 			$r = q("SELECT `uid` FROM `contact` WHERE `blocked` = 0 AND `pending` = 0 AND `id` = %d AND `uid` = %d LIMIT 1",
 				intval($contact_id),
 				intval($owner_uid)
 			);
 			if (DBA::isResult($r)) {
 				$can_post = true;
 				$remote_contact = true;
 				$visitor = $contact_id;
 			}
 		}
 	}
 	$groups = [];
 	// perhaps they're visiting - but not a community page, so they wouldn't have write access
-	if (remote_user() && (!$visitor)) {
+	if (!empty(Session::getRemoteContactID($owner_uid)) && !$visitor) {
-		$contact_id = 0;
+		$contact_id = Session::getRemoteContactID($owner_uid);
-
+		$remote_contact = true;
 		if (!empty($_SESSION['remote'])) {
 			foreach($_SESSION['remote'] as $v) {
 				if($v['uid'] == $owner_uid) {
 					$contact_id = $v['cid'];
 					break;
 				}
 			}
 		}
 		if ($contact_id > 0) {
 			$groups = Group::getIdsByContactId($contact_id);
 			$r = q("SELECT * FROM `contact` WHERE `blocked` = 0 AND `pending` = 0 AND `id` = %d AND `uid` = %d LIMIT 1",
 				intval($contact_id),
 				intval($owner_uid)
 			);
 			if (DBA::isResult($r)) {
 				$remote_contact = true;
 			}
 		}
 	}
-	if ($a->data['user']['hidewall'] && (local_user() != $owner_uid) && (!$remote_contact)) {
+	if ($a->data['user']['hidewall'] && (local_user() != $owner_uid) && !$remote_contact) {
 		notice(L10n::t('Access to this item is restricted.') . EOL);
 		return;
 	}
-	$sql_extra = Security::getPermissionsSQLByUserId($owner_uid, $remote_contact, $groups);
+	$sql_extra = Security::getPermissionsSQLByUserId($owner_uid);
 	$o = "";
--- a/mod/wall_attach.php
+++ b/mod/wall_attach.php
@ -6,6 +6,7 @@
 use Friendica\App;
 use Friendica\Core\Config;
 use Friendica\Core\L10n;
 use Friendica\Core\Session;
 use Friendica\Database\DBA;
 use Friendica\Model\Attach;
 use Friendica\Model\User;
@ -43,35 +44,21 @@ function wall_attach_post(App $a) {
 	$page_owner_cid   = $r[0]['id'];
 	$community_page   = (($r[0]['page-flags'] == User::PAGE_FLAGS_COMMUNITY) ? true : false);
-	if ((local_user()) && (local_user() == $page_owner_uid)) {
+	if (local_user() && (local_user() == $page_owner_uid)) {
 		$can_post = true;
-	} else {
+	} elseif ($community_page && !empty(Session::getRemoteContactID($page_owner_uid))) {
-		if ($community_page && remote_user()) {
+		$contact_id = Session::getRemoteContactID($page_owner_uid);
-			$contact_id = 0;
+		$r = q("SELECT `uid` FROM `contact` WHERE `blocked` = 0 AND `pending` = 0 AND `id` = %d AND `uid` = %d LIMIT 1",
 			intval($contact_id),
 			intval($page_owner_uid)
 		);
-			if (is_array($_SESSION['remote'])) {
+		if (DBA::isResult($r)) {
-				foreach ($_SESSION['remote'] as $v) {
+			$can_post = true;
 					if ($v['uid'] == $page_owner_uid) {
 						$contact_id = $v['cid'];
 						break;
 					}
 				}
 			}
 			if ($contact_id > 0) {
 				$r = q("SELECT `uid` FROM `contact` WHERE `blocked` = 0 AND `pending` = 0 AND `id` = %d AND `uid` = %d LIMIT 1",
 					intval($contact_id),
 					intval($page_owner_uid)
 				);
 				if (DBA::isResult($r)) {
 					$can_post = true;
 				}
 			}
 		}
 	}
-	if (! $can_post) {
+	if (!$can_post) {
 		if ($r_json) {
 			echo json_encode(['error' => L10n::t('Permission denied.')]);
 			exit();
--- a/mod/wall_upload.php
+++ b/mod/wall_upload.php
@ -12,6 +12,7 @@ use Friendica\App;
 use Friendica\Core\L10n;
 use Friendica\Core\Logger;
 use Friendica\Core\System;
 use Friendica\Core\Session;
 use Friendica\Core\Config;
 use Friendica\Database\DBA;
 use Friendica\Model\Contact;
@ -74,34 +75,21 @@ function wall_upload_post(App $a, $desktopmode = true)
 	if ((local_user()) && (local_user() == $page_owner_uid)) {
 		$can_post = true;
-	} else {
+	} elseif ($community_page && !empty(Session::getRemoteContactID($page_owner_uid))) {
-		if ($community_page && remote_user()) {
+		$contact_id = Session::getRemoteContactID($page_owner_uid);
 			$contact_id = 0;
 			if (is_array($_SESSION['remote'])) {
 				foreach ($_SESSION['remote'] as $v) {
 					if ($v['uid'] == $page_owner_uid) {
 						$contact_id = $v['cid'];
 						break;
 					}
 				}
 			}
-			if ($contact_id) {
+		$r = q("SELECT `uid` FROM `contact`
-				$r = q("SELECT `uid` FROM `contact`
+			WHERE `blocked` = 0 AND `pending` = 0
-					WHERE `blocked` = 0 AND `pending` = 0
+			AND `id` = %d AND `uid` = %d LIMIT 1",
-					AND `id` = %d AND `uid` = %d LIMIT 1",
+			intval($contact_id),
-					intval($contact_id),
+			intval($page_owner_uid)
-					intval($page_owner_uid)
+		);
-				);
+		if (DBA::isResult($r)) {
-				if (DBA::isResult($r)) {
+			$can_post = true;
-					$can_post = true;
+			$visitor = $contact_id;
 					$visitor = $contact_id;
 				}
 			}
 		}
 	}
 	if (!$can_post) {
 		if ($r_json) {
 			echo json_encode(['error' => L10n::t('Permission denied.')]);
--- a/src/Content/Nav.php
+++ b/src/Content/Nav.php
@ -149,7 +149,7 @@ class Nav
 		$nav['usermenu'] = [];
 		$userinfo = null;
-		if (local_user() || remote_user()) {
+		if (Session::isAuthenticated()) {
 			$nav['logout'] = ['logout', L10n::t('Logout'), '', L10n::t('End this session')];
 		} else {
 			$nav['login'] = ['login', L10n::t('Login'), ($a->module == 'login' ? 'selected' : ''), L10n::t('Sign in')];
@ -182,7 +182,7 @@ class Nav
 			$nav['home'] = [$homelink, L10n::t('Home'), '', L10n::t('Home Page')];
 		}
-		if (intval(Config::get('config', 'register_policy')) === \Friendica\Module\Register::OPEN && !local_user() && !remote_user()) {
+		if (intval(Config::get('config', 'register_policy')) === \Friendica\Module\Register::OPEN && !Session::isAuthenticated()) {
 			$nav['register'] = ['register', L10n::t('Register'), '', L10n::t('Create an account')];
 		}
--- a/src/Content/Widget.php
+++ b/src/Content/Widget.php
@ -11,6 +11,7 @@ use Friendica\Core\PConfig;
 use Friendica\Core\Protocol;
 use Friendica\Core\Renderer;
 use Friendica\Core\System;
 use Friendica\Core\Session;
 use Friendica\Database\DBA;
 use Friendica\Model\Contact;
 use Friendica\Model\FileTag;
@ -339,7 +340,7 @@ class Widget
 		$zcid = 0;
-		$cid = remote_user($profile_uid);
+		$cid = Session::getRemoteContactID($profile_uid);
 		if (!$cid) {
 			if (Profile::getMyURL()) {
--- a/src/Core/ACL.php
+++ b/src/Core/ACL.php
@ -11,6 +11,7 @@ use Friendica\Content\Feature;
 use Friendica\Database\DBA;
 use Friendica\Model\Contact;
 use Friendica\Model\GContact;
 use Friendica\Core\Session;
 use Friendica\Util\Network;
 /**
@ -333,7 +334,7 @@ class ACL extends BaseObject
 	 */
 	public static function contactAutocomplete($search, $mode, int $page = 1)
 	{
-		if (Config::get('system', 'block_public') && !local_user() && !remote_user()) {
+		if (Config::get('system', 'block_public') && !Session::isAuthenticated()) {
 			return [];
 		}
--- a/src/Core/Session.php
+++ b/src/Core/Session.php
@ -53,7 +53,7 @@ class Session
 	/**
 	 * Retrieves a key from the session super global or the defaults if the key is missing or the value is falsy.
-	 * 
+	 *
 	 * Handle the case where session_start() hasn't been called and the super global isn't available.
 	 *
 	 * @param string $name
@ -119,21 +119,10 @@ class Session
 			'page_flags'    => $user_record['page-flags'],
 			'my_url'        => $a->getBaseURL() . '/profile/' . $user_record['nickname'],
 			'my_address'    => $user_record['nickname'] . '@' . substr($a->getBaseURL(), strpos($a->getBaseURL(), '://') + 3),
-			'addr'          => defaults($_SERVER, 'REMOTE_ADDR', '0.0.0.0'),
+			'addr'          => defaults($_SERVER, 'REMOTE_ADDR', '0.0.0.0')
 			'remote'	=> []
 		]);
-		$remote_contacts = DBA::select('contact', ['id', 'uid'], ['nurl' => Strings::normaliseLink($_SESSION['my_url']), 'rel' => [Contact::FOLLOWER, Contact::FRIEND], 'self' => false]);
+		self::setVisitorsContacts();
 		while ($contact = DBA::fetch($remote_contacts)) {
 			if (($contact['uid'] == 0) || Contact::isBlockedByUser($contact['id'], $contact['uid'])) {
 				continue;
 			}
 			/// @todo Change it to this format to save space
 			// $_SESSION['remote'][$contact['uid']] = $contact['id'];
 			$_SESSION['remote'][$contact['uid']] = ['cid' => $contact['id'], 'uid' => $contact['uid']];
 		}
 		DBA::close($remote_contacts);
 		$member_since = strtotime($user_record['register_date']);
 		self::set('new_member', time() < ($member_since + ( 60 * 60 * 24 * 14)));
@ -216,4 +205,68 @@ class Session
 			}
 		}
 	}
 	/**
 	 * Returns contact ID for given user ID
 	 *
 	 * @param integer $uid User ID
 	 * @return integer Contact ID of visitor for given user ID
 	 */
 	public static function getRemoteContactID($uid)
 	{
 		if (empty($_SESSION['remote'][$uid])) {
 			return false;
 		}
 		return $_SESSION['remote'][$uid];
 	}
 	/**
 	 * Returns User ID for given contact ID of the visitor
 	 *
 	 * @param integer $cid Contact ID
 	 * @return integer User ID for given contact ID of the visitor
 	 */
 	public static function getUserIDForVisitorContactID($cid)
 	{
 		if (empty($_SESSION['remote'])) {
 			return false;
 		}
 		return array_search($cid, $_SESSION['remote']);
 	}
 	/**
 	 * Set the session variable that contains the contact IDs for the visitor's contact URL
 	 *
 	 * @param string $url Contact URL
 	 */
 	public static function setVisitorsContacts()
 	{
 		$_SESSION['remote'] = [];
 		$remote_contacts = DBA::select('contact', ['id', 'uid'], ['nurl' => Strings::normaliseLink($_SESSION['my_url']), 'rel' => [Contact::FOLLOWER, Contact::FRIEND], 'self' => false]);
 		while ($contact = DBA::fetch($remote_contacts)) {
 			if (($contact['uid'] == 0) || Contact::isBlockedByUser($contact['id'], $contact['uid'])) {
 				continue;
 			}
 			$_SESSION['remote'][$contact['uid']] = $contact['id'];
 		}
 		DBA::close($remote_contacts);
 	}
 	/**
 	 * Returns if the current visitor is authenticated
 	 *
 	 * @return boolean "true" when visitor is either a local or remote user
 	 */
 	public static function isAuthenticated()
 	{
 		if (empty($_SESSION['authenticated'])) {
 			return false;
 		}
 		return $_SESSION['authenticated'];
 	}
 }
--- a/src/Model/Contact.php
+++ b/src/Model/Contact.php
@ -13,6 +13,7 @@ use Friendica\Core\L10n;
 use Friendica\Core\Logger;
 use Friendica\Core\Protocol;
 use Friendica\Core\System;
 use Friendica\Core\Session;
 use Friendica\Core\Worker;
 use Friendica\Database\DBA;
 use Friendica\Network\Probe;
@ -1213,7 +1214,7 @@ class Contact extends BaseObject
 		}
 		if (($contact['network'] == Protocol::DFRN) && !$contact['self'] && empty($contact['pending'])) {
-			$poke_link = System::baseUrl() . '/poke/?f=&c=' . $contact['id'];
+			$poke_link = System::baseUrl() . '/poke/?c=' . $contact['id'];
 		}
 		$contact_url = System::baseUrl() . '/contact/' . $contact['id'];
@ -2679,7 +2680,7 @@ class Contact extends BaseObject
 	 */
 	public static function magicLink($contact_url, $url = '')
 	{
-		if (!local_user() && !remote_user()) {
+		if (!Session::isAuthenticated()) {
 			return $url ?: $contact_url; // Equivalent to: ($url != '') ? $url : $contact_url;
 		}
@ -2725,7 +2726,7 @@ class Contact extends BaseObject
 	{
 		$destination = $url ?: $contact['url']; // Equivalent to ($url != '') ? $url : $contact['url'];
-		if ((!local_user() && !remote_user()) || ($contact['network'] != Protocol::DFRN)) {
+		if (!Session::isAuthenticated() || ($contact['network'] != Protocol::DFRN)) {
 			return $destination;
 		}
--- a/src/Model/Item.php
+++ b/src/Model/Item.php
@ -18,6 +18,7 @@ use Friendica\Core\PConfig;
 use Friendica\Core\Protocol;
 use Friendica\Core\Renderer;
 use Friendica\Core\System;
 use Friendica\Core\Session;
 use Friendica\Core\Worker;
 use Friendica\Database\DBA;
 use Friendica\Protocol\ActivityPub;
@ -3028,7 +3029,7 @@ class Item extends BaseObject
 	 */
 	public static function performLike($item_id, $verb)
 	{
-		if (!local_user() && !remote_user()) {
+		if (!Session::isAuthenticated()) {
 			return false;
 		}
@ -3260,10 +3261,10 @@ class Item extends BaseObject
 		}
 	}
-	public static function getPermissionsSQLByUserId($owner_id, $remote_verified = false, $groups = null, $remote_cid = null)
+	public static function getPermissionsSQLByUserId($owner_id)
 	{
 		$local_user = local_user();
-		$remote_user = remote_user();
+		$remote_user = Session::getRemoteContactID($owner_id);
 		/*
 		 * Construct permissions
@ -3283,7 +3284,7 @@ class Item extends BaseObject
 			 * If pre-verified, the caller is expected to have already
 			 * done this and passed the groups into this function.
 			 */
-			$set = PermissionSet::get($owner_id, $remote_cid, $groups);
+			$set = PermissionSet::get($owner_id, $remote_user);
 			if (!empty($set)) {
 				$sql_set = " OR (`item`.`private` IN (1,2) AND `item`.`wall` AND `item`.`psid` IN (" . implode(',', $set) . "))";
@ -3427,7 +3428,7 @@ class Item extends BaseObject
 		}
 		// Update the cached values if there is no "zrl=..." on the links.
-		$update = (!local_user() && !remote_user() && ($item["uid"] == 0));
+		$update = (!Session::isAuthenticated() && ($item["uid"] == 0));
 		// Or update it if the current viewer is the intented viewer.
 		if (($item["uid"] == local_user()) && ($item["uid"] != 0)) {
--- a/src/Model/PermissionSet.php
+++ b/src/Model/PermissionSet.php
@ -67,21 +67,20 @@ class PermissionSet extends BaseObject
 	 *
 	 * @param integer $uid        User id whom the items belong
 	 * @param integer $contact_id Contact id of the visitor
 	 * @param array   $groups     Possibly previously fetched group ids for that contact
 	 *
 	 * @return array of permission set ids.
 	 * @throws \Exception
 	 */
-
+	static public function get($uid, $contact_id)
 	static public function get($uid, $contact_id, $groups = null)
 	{
-		if (empty($groups) && DBA::exists('contact', ['id' => $contact_id, 'uid' => $uid, 'blocked' => false])) {
+		if (DBA::exists('contact', ['id' => $contact_id, 'uid' => $uid, 'blocked' => false])) {
 			$groups = Group::getIdsByContactId($contact_id);
 		}
 		if (empty($groups) || !is_array($groups)) {
 			return [];
 		}
 		$group_str = '<<>>'; // should be impossible to match
 		foreach ($groups as $g) {
@ -90,11 +89,9 @@ class PermissionSet extends BaseObject
 		$contact_str = '<' . $contact_id . '>';
-		$condition = ["`uid` = ? AND (`allow_cid` = '' OR`allow_cid` REGEXP ?)
+		$condition = ["`uid` = ? AND (NOT (`deny_cid` REGEXP ? OR deny_gid REGEXP ?)
-			AND (`deny_cid` = '' OR NOT `deny_cid` REGEXP ?)
+			AND (allow_cid REGEXP ? OR allow_gid REGEXP ? OR (allow_cid = '' AND allow_gid = '')))",
-			AND (`allow_gid` = '' OR `allow_gid` REGEXP ?)
+			$uid, $contact_str, $group_str, $contact_str, $group_str];
 			AND (`deny_gid` = '' OR NOT `deny_gid` REGEXP ?)",
 			$uid, $contact_str, $contact_str, $group_str, $group_str];
 		$ret = DBA::select('permissionset', ['id'], $condition);
 		$set = [];
--- a/src/Model/Photo.php
+++ b/src/Model/Photo.php
@ -131,31 +131,17 @@ class Photo extends BaseObject
 	 */
 	public static function getPhoto($resourceid, $scale = 0)
 	{
-		$r = self::selectFirst(["uid", "allow_cid", "allow_gid", "deny_cid", "deny_gid"], ["resource-id" => $resourceid]);
+		$r = self::selectFirst(["uid"], ["resource-id" => $resourceid]);
-		if ($r === false) {
+		if (!DBA::isResult($r)) {
 			return false;
 		}
 		$uid = $r["uid"];
-		// This is the first place, when retrieving just a photo, that we know who owns the photo.
+		$uid = $r["uid"];
 		// Check if the photo is public (empty allow and deny means public), if so, skip auth attempt, if not
 		// make sure that the requester's session is appropriately authenticated to that user
 		// otherwise permissions checks done by getPermissionsSQLByUserId() won't work correctly
 		if (!empty($r["allow_cid"]) || !empty($r["allow_gid"]) || !empty($r["deny_cid"]) || !empty($r["deny_gid"])) {
 			$r = DBA::selectFirst("user", ["nickname"], ["uid" => $uid], []);
 			// this will either just return (if auth all ok) or will redirect and exit (starting over)
 			DFRN::autoRedir(self::getApp(), $r["nickname"]);
 		}
 		$sql_acl = Security::getPermissionsSQLByUserId($uid);
-		$conditions = [
+		$conditions = ["`resource-id` = ? AND `scale` <= ? " . $sql_acl, $resourceid, $scale];
 			"`resource-id` = ? AND `scale` <= ? " . $sql_acl,
 			$resourceid, $scale
 		];
 		$params = ["order" => ["scale" => true]];
 		$photo = self::selectFirst([], $conditions, $params);
 		return $photo;
--- a/src/Model/Profile.php
+++ b/src/Model/Profile.php
@ -215,7 +215,7 @@ class Profile
 			);
 		}
-		$block = ((Config::get('system', 'block_public') && !local_user() && !remote_user()) ? true : false);
+		$block = ((Config::get('system', 'block_public') && !Session::isAuthenticated()) ? true : false);
 		/**
 		 * @todo
@ -248,15 +248,10 @@ class Profile
 	 */
 	public static function getByNickname($nickname, $uid = 0, $profile_id = 0)
 	{
-		if (remote_user($uid) && !empty($_SESSION['remote'])) {
+		if (!empty(Session::getRemoteContactID($uid))) {
-			foreach ($_SESSION['remote'] as $visitor) {
+			$contact = DBA::selectFirst('contact', ['profile-id'], ['id' => Session::getRemoteContactID($uid)]);
-				if ($visitor['uid'] == $uid) {
+			if (DBA::isResult($contact)) {
-					$contact = DBA::selectFirst('contact', ['profile-id'], ['id' => $visitor['cid']]);
+				$profile_id = $contact['profile-id'];
 					if (DBA::isResult($contact)) {
 						$profile_id = $contact['profile-id'];
 					}
 					break;
 				}
 			}
 		}
@ -453,7 +448,7 @@ class Profile
 		$about    = !empty($profile['about'])    ? L10n::t('About:')    : false;
 		$xmpp     = !empty($profile['xmpp'])     ? L10n::t('XMPP:')     : false;
-		if ((!empty($profile['hidewall']) || $block) && !local_user() && !remote_user()) {
+		if ((!empty($profile['hidewall']) || $block) && !Session::isAuthenticated()) {
 			$location = $gender = $marital = $homepage = $about = false;
 		}
@ -1029,6 +1024,12 @@ class Profile
 	 *
 	 * Ported from Hubzilla: https://framagit.org/hubzilla/core/blob/master/include/channel.php
 	 *
 	 * The implementation for Friendica sadly differs in some points from the one for Hubzilla:
 	 * - Hubzilla uses the "zid" parameter, while for Friendica it had been replaced with "zrl"
 	 * - There seem to be some reverse authentication (rmagic) that isn't implemented in Friendica at all
 	 *
 	 * It would be favourable to harmonize the two implementations.
 	 *
 	 * @param App $a Application instance.
 	 * @throws \Friendica\Network\HTTPException\InternalServerErrorException
 	 * @throws \ImagickException
@ -1042,6 +1043,8 @@ class Profile
 			return;
 		}
 		$addr = $_GET['addr'] ?? $my_url;
 		$arr = ['zrl' => $my_url, 'url' => $a->cmd];
 		Hook::callAll('zrl_init', $arr);
@ -1072,19 +1075,19 @@ class Profile
 		Worker::add(PRIORITY_LOW, 'GProbe', $my_url);
-		// Try to avoid recursion - but send them home to do a proper magic auth.
+		// Remove the "addr" parameter from the destination. It is later added as separate parameter again.
-		$query = str_replace(array('?zrl=', '&zid='), array('?rzrl=', '&rzrl='), $a->query_string);
+		$addr_request = 'addr=' . urlencode($addr);
 		$query = rtrim(str_replace($addr_request, '', $a->query_string), '?&');
 		// The other instance needs to know where to redirect.
 		$dest = urlencode($a->getBaseURL() . '/' . $query);
 		// We need to extract the basebath from the profile url
 		// to redirect the visitors '/magic' module.
-		// Note: We should have the basepath of a contact also in the contact table.
+		$basepath = Contact::getBasepath($contact['url']);
 		$urlarr = explode('/profile/', $contact['url']);
 		$basepath = $urlarr[0];
-		if ($basepath != $a->getBaseURL() && !strstr($dest, '/magic') && !strstr($dest, '/rmagic')) {
+		if ($basepath != $a->getBaseURL() && !strstr($dest, '/magic')) {
-			$magic_path = $basepath . '/magic' . '?f=&owa=1&dest=' . $dest;
+			$magic_path = $basepath . '/magic' . '?owa=1&dest=' . $dest . '&' . $addr_request;
 			// We have to check if the remote server does understand /magic without invoking something
 			$serverret = Network::curl($basepath . '/magic');
@ -1121,17 +1124,7 @@ class Profile
 		$_SESSION['visitor_home'] = $visitor['url'];
 		$_SESSION['my_url'] = $visitor['url'];
-		/// @todo replace this and the query for this variable with some cleaner functionality
+		Session::setVisitorsContacts();
 		$_SESSION['remote'] = [];
 		$remote_contacts = DBA::select('contact', ['id', 'uid'], ['nurl' => $visitor['nurl'], 'rel' => [Contact::FOLLOWER, Contact::FRIEND], 'self' => false]);
 		while ($contact = DBA::fetch($remote_contacts)) {
 			if (($contact['uid'] == 0) || Contact::isBlockedByUser($visitor['id'], $contact['uid'])) {
 				continue;
 			}
 			$_SESSION['remote'][$contact['uid']] = ['cid' => $contact['id'], 'uid' => $contact['uid']];
 		}
 		$a->contact = $visitor;
@ -1193,7 +1186,7 @@ class Profile
 		if (!strlen($s)) {
 			return $s;
 		}
-		if ((!strpos($s, '/profile/')) && (!$force)) {
+		if (!strpos($s, '/profile/') && !$force) {
 			return $s;
 		}
 		if ($force && substr($s, -1, 1) !== '/') {
@ -1250,7 +1243,7 @@ class Profile
 		if (!empty($search)) {
 			$searchTerm = '%' . $search . '%';
-			$cnt = DBA::fetchFirst("SELECT COUNT(*) AS `total` 
+			$cnt = DBA::fetchFirst("SELECT COUNT(*) AS `total`
 				FROM `profile`
 				LEFT JOIN `user` ON `user`.`uid` = `profile`.`uid`
 				WHERE `is-default` $publish AND NOT `user`.`blocked` AND NOT `user`.`account_removed`
@ -1272,7 +1265,7 @@ class Profile
 				$searchTerm, $searchTerm, $searchTerm, $searchTerm, $searchTerm, $searchTerm, $searchTerm, $searchTerm,
 				$searchTerm, $searchTerm, $searchTerm, $searchTerm, $searchTerm, $searchTerm, $searchTerm);
 		} else {
-			$cnt = DBA::fetchFirst("SELECT COUNT(*) AS `total` 
+			$cnt = DBA::fetchFirst("SELECT COUNT(*) AS `total`
 				FROM `profile`
 				LEFT JOIN `user` ON `user`.`uid` = `profile`.`uid`
 				WHERE `is-default` $publish AND NOT `user`.`blocked` AND NOT `user`.`account_removed`");
--- a/src/Module/Debug/Localtime.php
+++ b/src/Module/Debug/Localtime.php
@ -39,7 +39,7 @@ class Localtime extends BaseModule
 			$output .= '<p>' . L10n::t('Converted localtime: %s', $app->data['mod-localtime']) . '</p>';
 		}
-		$output .= '<form action ="' . $app->getBaseURL() . '/localtime?f=&time=' . $time . '" method="post" >';
+		$output .= '<form action ="' . $app->getBaseURL() . '/localtime?time=' . $time . '" method="post" >';
 		$output .= '<p>' . L10n::t('Please select your timezone:') . '</p>';
 		$output .= Temporal::getTimezoneSelect(defaults($_REQUEST, 'timezone', Installer::DEFAULT_TZ));
 		$output .= '<input type="submit" name="submit" value="' . L10n::t('Submit') . '" /></form>';
--- a/src/Module/Directory.php
+++ b/src/Module/Directory.php
@ -8,6 +8,7 @@ use Friendica\Content\Pager;
 use Friendica\Content\Widget;
 use Friendica\Core\Hook;
 use Friendica\Core\L10n;
 use Friendica\Core\Session;
 use Friendica\Core\Renderer;
 use Friendica\Model\Contact;
 use Friendica\Model\Profile;
@ -25,8 +26,8 @@ class Directory extends BaseModule
 		$app = self::getApp();
 		$config = $app->getConfig();
-		if (($config->get('system', 'block_public') && !local_user() && !remote_user()) ||
+		if (($config->get('system', 'block_public') && !Session::isAuthenticated()) ||
-			($config->get('system', 'block_local_dir') && !local_user() && !remote_user())) {
+			($config->get('system', 'block_local_dir') && !Session::isAuthenticated())) {
 			throw new HTTPException\ForbiddenException(L10n::t('Public access denied.'));
 		}
--- a/src/Module/Like.php
+++ b/src/Module/Like.php
@ -4,6 +4,7 @@ namespace Friendica\Module;
 use Friendica\BaseModule;
 use Friendica\Model\Item;
 use Friendica\Core\Session;
 use Friendica\Network\HTTPException;
 use Friendica\Util\Strings;
@ -14,7 +15,7 @@ class Like extends BaseModule
 {
 	public static function rawContent()
 	{
-		if (!local_user() && !remote_user()) {
+		if (!Session::isAuthenticated()) {
 			throw new HTTPException\ForbiddenException();
 		}
--- a/src/Module/Logout.php
+++ b/src/Module/Logout.php
@ -7,6 +7,7 @@ namespace Friendica\Module;
 use Friendica\BaseModule;
 use Friendica\Core\Authentication;
 use Friendica\Core\Cache;
 use Friendica\Core\Hook;
 use Friendica\Core\L10n;
 use Friendica\Core\System;
@ -27,6 +28,7 @@ class Logout extends BaseModule
 		$visitor_home = null;
 		if (remote_user()) {
 			$visitor_home = Profile::getMyURL();
 			Cache::delete('zrlInit:' . $visitor_home);
 		}
 		Hook::callAll("logging_out");
--- a/src/Module/Magic.php
+++ b/src/Module/Magic.php
@ -32,15 +32,16 @@ class Magic extends BaseModule
 		$dest = defaults($_REQUEST, 'dest', '');
 		$test = (!empty($_REQUEST['test']) ? intval($_REQUEST['test']) : 0);
 		$owa  = (!empty($_REQUEST['owa'])  ? intval($_REQUEST['owa'])  : 0);
 		$cid  = 0;
 		if (!empty($addr)) {
 			$cid = Contact::getIdForURL($addr);
-		} else {
+		} elseif (!empty($dest)) {
 			$cid = Contact::getIdForURL($dest);
 		}
 		if (!$cid) {
-			Logger::log('No contact record found: ' . json_encode($_REQUEST), Logger::DEBUG);
+			Logger::info('No contact record found', $_REQUEST);
 			// @TODO Finding a more elegant possibility to redirect to either internal or external URL
 			$a->redirect($dest);
 		}
@ -96,9 +97,9 @@ class Magic extends BaseModule
 						} else {
 							$token = $j['token'];
 						}
-						$x = strpbrk($dest, '?&');
+						$args = (strpbrk($dest, '?&') ? '&' : '?') . 'owt=' . $token;
 						$args = (($x) ? '&owt=' . $token : '?f=&owt=' . $token);
 						Logger::info('Redirecting', ['path' => $dest . $args]);
 						System::externalRedirect($dest . $args);
 					}
 				}
--- a/src/Module/Profile.php
+++ b/src/Module/Profile.php
@ -48,8 +48,6 @@ class Profile extends BaseModule
 		if (local_user() && $a->argc > 2 && $a->argv[2] === 'view') {
 			self::$which = $a->user['nickname'];
 			self::$profile = filter_var($a->argv[1], FILTER_SANITIZE_NUMBER_INT);
 		} else {
 			DFRN::autoRedir($a, self::$which);
 		}
 	}
@ -86,8 +84,8 @@ class Profile extends BaseModule
 			$a->page['htmlhead'] .= "\n";
-			$blocked   = !local_user() && !remote_user() && Config::get('system', 'block_public');
+			$blocked   = !local_user() && !Session::getRemoteContactID($a->profile['profile_uid']) && Config::get('system', 'block_public');
-			$userblock = !local_user() && !remote_user() && $a->profile['hidewall'];
+			$userblock = !local_user() && !Session::getRemoteContactID($a->profile['profile_uid']) && $a->profile['hidewall'];
 			if (!empty($a->profile['page-flags']) && $a->profile['page-flags'] == User::PAGE_FLAGS_COMMUNITY) {
 				$a->page['htmlhead'] .= '<meta name="friendica.community" content="true" />' . "\n";
@ -153,13 +151,10 @@ class Profile extends BaseModule
 		$hashtags = defaults($_GET, 'tag', '');
-		if (Config::get('system', 'block_public') && !local_user() && !remote_user()) {
+		if (Config::get('system', 'block_public') && !local_user() && !Session::getRemoteContactID($a->profile['profile_uid'])) {
 			return Login::form();
 		}
 		$groups = [];
 		$remote_cid = null;
 		$o = '';
 		if ($update) {
@ -169,17 +164,9 @@ class Profile extends BaseModule
 			Nav::setSelected('home');
 		}
-		$remote_contact = ContactModel::isFollower(remote_user(), $a->profile['profile_uid']);
+		$remote_contact = Session::getRemoteContactID($a->profile['profile_uid']);
 		$is_owner = local_user() == $a->profile['profile_uid'];
-		$last_updated_key = "profile:" . $a->profile['profile_uid'] . ":" . local_user() . ":" . remote_user();
+		$last_updated_key = "profile:" . $a->profile['profile_uid'] . ":" . local_user() . ":" . $remote_contact;
 		if ($remote_contact) {
 			$cdata = ContactModel::getPublicAndUserContacID(remote_user(), $a->profile['profile_uid']);
 			if (!empty($cdata['user'])) {
 				$groups = Group::getIdsByContactId($cdata['user']);
 				$remote_cid = $cdata['user'];
 			}
 		}
 		if (!empty($a->profile['hidewall']) && !$is_owner && !$remote_contact) {
 			notice(L10n::t('Access to this profile has been restricted.') . EOL);
@ -229,7 +216,7 @@ class Profile extends BaseModule
 		}
 		// Get permissions SQL - if $remote_contact is true, our remote user has been pre-verified and we already have fetched his/her groups
-		$sql_extra = Item::getPermissionsSQLByUserId($a->profile['profile_uid'], $remote_contact, $groups, $remote_cid);
+		$sql_extra = Item::getPermissionsSQLByUserId($a->profile['profile_uid']);
 		$sql_extra2 = '';
 		$last_updated_array = Session::get('last_updated', []);
--- a/src/Module/Profile/Contacts.php
+++ b/src/Module/Profile/Contacts.php
@ -10,6 +10,7 @@ use Friendica\Core\Config;
 use Friendica\Core\L10n;
 use Friendica\Core\Protocol;
 use Friendica\Core\Renderer;
 use Friendica\Core\Session;
 use Friendica\Database\DBA;
 use Friendica\Model\Contact;
 use Friendica\Model\Profile;
@ -19,7 +20,7 @@ class Contacts extends BaseModule
 {
 	public static function content()
 	{
-		if (Config::get('system', 'block_public') && !local_user() && !remote_user()) {
+		if (Config::get('system', 'block_public') && !Session::isAuthenticated()) {
 			throw new \Friendica\Network\HTTPException\NotFoundException(L10n::t('User not found.'));
 		}
--- a/src/Object/Post.php
+++ b/src/Object/Post.php
@ -14,8 +14,8 @@ use Friendica\Core\L10n;
 use Friendica\Core\Logger;
 use Friendica\Core\PConfig;
 use Friendica\Core\Protocol;
 use Friendica\Core\Renderer;
 use Friendica\Core\Session;
 use Friendica\Core\Renderer;
 use Friendica\Database\DBA;
 use Friendica\Model\Contact;
 use Friendica\Model\Item;
@ -71,13 +71,8 @@ class Post extends BaseObject
 		$this->setTemplate('wall');
 		$this->toplevel = $this->getId() == $this->getDataValue('parent');
-		if (!empty($_SESSION['remote']) && is_array($_SESSION['remote'])) {
+		if (!empty(Session::getUserIDForVisitorContactID($this->getDataValue('contact-id')))) {
-			foreach ($_SESSION['remote'] as $visitor) {
+			$this->visiting = true;
 				if ($visitor['cid'] == $this->getDataValue('contact-id')) {
 					$this->visiting = true;
 					break;
 				}
 			}
 		}
 		$this->writable = $this->getDataValue('writable') || $this->getDataValue('self');
@ -224,7 +219,7 @@ class Post extends BaseObject
 		$author = ['uid' => 0, 'id' => $item['author-id'],
 			'network' => $item['author-network'], 'url' => $item['author-link']];
-		if (local_user() || remote_user()) {
+		if (Session::isAuthenticated()) {
 			$profile_link = Contact::magicLinkByContact($author);
 		} else {
 			$profile_link = $item['author-link'];
--- a/src/Protocol/DFRN.php
+++ b/src/Protocol/DFRN.php
@ -2849,115 +2849,6 @@ class DFRN
 		return 200;
 	}
 	/**
 	 * @param App    $a            App
 	 * @param string $contact_nick contact nickname
 	 * @throws \Friendica\Network\HTTPException\InternalServerErrorException
 	 */
 	public static function autoRedir(App $a, $contact_nick)
 	{
 		// prevent looping
 		if (!empty($_REQUEST['redir'])) {
 			Logger::log('autoRedir might be looping because redirect has been redirected', Logger::DEBUG);
 			// looping prevention also appears to sometimes prevent authentication for images
 			// because browser may have multiple connections open and load an image on a connection
 			// whose session wasn't updated when a previous redirect authenticated
 			// Leaving commented in case looping reappears
 			//return;
 		}
 		if ((! $contact_nick) || ($contact_nick === $a->user['nickname'])) {
 			return;
 		}
 		if (local_user()) {
 			// We need to find out if $contact_nick is a user on this hub, and if so, if I
 			// am a contact of that user. However, that user may have other contacts with the
 			// same nickname as me on other hubs or other networks. Exclude these by requiring
 			// that the contact have a local URL. I will be the only person with my nickname at
 			// this URL, so if a result is found, then I am a contact of the $contact_nick user.
 			//
 			// We also have to make sure that I'm a legitimate contact--I'm not blocked or pending.
 			$baseurl = System::baseUrl();
 			$domain_st = strpos($baseurl, "://");
 			if ($domain_st === false) {
 				return;
 			}
 			$baseurl = substr($baseurl, $domain_st + 3);
 			$nurl = Strings::normaliseLink($baseurl);
 			$r = User::getByNickname($contact_nick, ["uid"]);
 			$contact_uid = $r["uid"];
 			/// @todo Why is there a query for "url" *and* "nurl"? Especially this normalising is strange.
 			$r = q("SELECT `id` FROM `contact` WHERE `uid` = (SELECT `uid` FROM `user` WHERE `nickname` = '%s' LIMIT 1)
 					AND `nick` = '%s' AND NOT `self` AND (`url` LIKE '%%%s%%' OR `nurl` LIKE '%%%s%%') AND NOT `blocked` AND NOT `pending` LIMIT 1",
 				DBA::escape($contact_nick),
 				DBA::escape($a->user['nickname']),
 				DBA::escape($baseurl),
 				DBA::escape($nurl)
 			);
 			if ((! DBA::isResult($r))) {
 				return;
 			}
 			// test if redirect authentication already succeeded
 			// Note that "contact" in the sense used in the $contact_nick argument to this function
 			// and the sense in the $remote[]["cid"] in the session are opposite.
 			// In the session variable the user currently fetching is the contact
 			// while $contact_nick is the nick of tho user who owns the stuff being fetched.
 			foreach (Session::get('remote', []) as $visitor) {
 				if ($visitor['uid'] == $contact_uid && $visitor['cid'] == $r[0]['id']) {
 					return;
 				}
 			}
 			$r = q("SELECT * FROM contact WHERE nick = '%s'
 					AND network = '%s' AND uid = %d  AND url LIKE '%%%s%%' LIMIT 1",
 				DBA::escape($contact_nick),
 				DBA::escape(Protocol::DFRN),
 				intval(local_user()),
 				DBA::escape($baseurl)
 			);
 			if (! DBA::isResult($r)) {
 				return;
 			}
 			$cid = $r[0]['id'];
 			$dfrn_id = (($r[0]['issued-id']) ? $r[0]['issued-id'] : $r[0]['dfrn-id']);
 			if ($r[0]['duplex'] && $r[0]['issued-id']) {
 				$orig_id = $r[0]['issued-id'];
 				$dfrn_id = '1:' . $orig_id;
 			}
 			if ($r[0]['duplex'] && $r[0]['dfrn-id']) {
 				$orig_id = $r[0]['dfrn-id'];
 				$dfrn_id = '0:' . $orig_id;
 			}
 			// ensure that we've got a valid ID. There may be some edge cases with forums and non-duplex mode
 			// that may have triggered some of the "went to {profile/intro} and got an RSS feed" issues
 			if (strlen($dfrn_id) < 3) {
 				return;
 			}
 			$sec = Strings::getRandomHex();
 			DBA::insert('profile_check', ['uid' => local_user(), 'cid' => $cid, 'dfrn_id' => $dfrn_id, 'sec' => $sec, 'expire' => time() + 45]);
 			$url = curPageURL();
 			Logger::log('auto_redir: ' . $r[0]['name'] . ' ' . $sec, Logger::DEBUG);
 			$dest = (($url) ? '&destination_url=' . $url : '');
 			System::externalRedirect($r[0]['poll'] . '?dfrn_id=' . $dfrn_id
 				. '&dfrn_version=' . DFRN_PROTOCOL_VERSION . '&type=profile&sec=' . $sec . $dest);
 		}
 		return;
 	}
 	/**
 	 * @brief Returns the activity verb
 	 *
--- a/src/Protocol/Diaspora.php
+++ b/src/Protocol/Diaspora.php
@ -1608,7 +1608,7 @@ class Diaspora
 		}
 		if (self::isRedmatrix($contact["url"])) {
-			return $contact["url"] . "/?f=&mid=" . $guid;
+			return $contact["url"] . "/?mid=" . $guid;
 		}
 		if ($parent_guid != '') {
--- a/src/Util/Security.php
+++ b/src/Util/Security.php
@ -10,6 +10,7 @@ use Friendica\Database\DBA;
 use Friendica\Model\Contact;
 use Friendica\Model\Group;
 use Friendica\Model\User;
 use Friendica\Core\Session;
 /**
 * Secures that User is allow to do requests
@ -20,7 +21,7 @@ class Security extends BaseObject
 	{
 		static $verified = 0;
-		if (!local_user() && !remote_user()) {
+		if (!Session::isAuthenticated()) {
 			return false;
 		}
@ -33,7 +34,7 @@ class Security extends BaseObject
 			return true;
 		}
-		if (remote_user($owner)) {
+		if (!empty(Session::getRemoteContactID($owner))) {
 			// use remembered decision and avoid a DB lookup for each and every display item
 			// DO NOT use this function if there are going to be multiple owners
 			// We have a contact-id for an authenticated remote user, this block determines if the contact
@ -44,14 +45,14 @@ class Security extends BaseObject
 			} elseif ($verified === 1) {
 				return false;
 			} else {
-				$cid = remote_user($owner);
+				$cid = Session::getRemoteContactID($owner);
 				if (!$cid) {
 					return false;
 				}
 				$r = q("SELECT `contact`.*, `user`.`page-flags` FROM `contact` INNER JOIN `user` on `user`.`uid` = `contact`.`uid`
 					WHERE `contact`.`uid` = %d AND `contact`.`id` = %d AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0
-					AND `user`.`blockwall` = 0 AND `readonly` = 0  AND ( `contact`.`rel` IN ( %d , %d ) OR `user`.`page-flags` = %d ) LIMIT 1",
+					AND `user`.`blockwall` = 0 AND `readonly` = 0  AND (`contact`.`rel` IN (%d , %d) OR `user`.`page-flags` = %d) LIMIT 1",
 					intval($owner),
 					intval($cid),
 					intval(Contact::SHARING),
@ -71,11 +72,10 @@ class Security extends BaseObject
 		return false;
 	}
-	/// @TODO $groups should be array
+	public static function getPermissionsSQLByUserId($owner_id)
 	public static function getPermissionsSQLByUserId($owner_id, $remote_verified = false, $groups = null)
 	{
 		$local_user = local_user();
-		$remote_user = remote_user();
+		$remote_contact = Session::getRemoteContactID($owner_id);
 		/*
 		 * Construct permissions
@ -83,10 +83,9 @@ class Security extends BaseObject
 		 * default permissions - anonymous user
 		 */
 		$sql = " AND allow_cid = ''
-				 AND allow_gid = ''
+			 AND allow_gid = ''
-				 AND deny_cid  = ''
+			 AND deny_cid  = ''
-				 AND deny_gid  = ''
+			 AND deny_gid  = '' ";
 		";
 		/*
 		 * Profile owner - everything is visible
@ -94,59 +93,28 @@ class Security extends BaseObject
 		if ($local_user && $local_user == $owner_id) {
 			$sql = '';
 		/*
-		 * Authenticated visitor. Unless pre-verified,
+		 * Authenticated visitor. Load the groups the visitor belongs to.
 		 * check that the contact belongs to this $owner_id
 		 * and load the groups the visitor belongs to.
 		 * If pre-verified, the caller is expected to have already
 		 * done this and passed the groups into this function.
 		 */
-		} elseif ($remote_user) {
+		} elseif ($remote_contact) {
-			/*
+			$gs = '<<>>'; // should be impossible to match
 			 * Authenticated visitor. Unless pre-verified,
 			 * check that the contact belongs to this $owner_id
 			 * and load the groups the visitor belongs to.
 			 * If pre-verified, the caller is expected to have already
 			 * done this and passed the groups into this function.
 			 */
-			if (!$remote_verified) {
+			$groups = Group::getIdsByContactId($remote_contact);
 				$cid = 0;
-				foreach (\Friendica\Core\Session::get('remote', []) as $visitor) {
+			if (is_array($groups)) {
-					if ($visitor['uid'] == $owner_id) {
+				foreach ($groups as $g) {
-						$cid = $visitor['cid'];
+					$gs .= '|<' . intval($g) . '>';
 						break;
 					}
 				}
 				if ($cid && DBA::exists('contact', ['id' => $cid, 'uid' => $owner_id, 'blocked' => false])) {
 					$remote_verified = true;
 					$groups = Group::getIdsByContactId($cid);
 				}
 			}
-			if ($remote_verified) {
+			$sql = sprintf(
-				$gs = '<<>>'; // should be impossible to match
+				" AND (NOT (deny_cid REGEXP '<%d>' OR deny_gid REGEXP '%s')
-
+				  AND (allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s' OR (allow_cid = '' AND allow_gid = ''))) ",
-				if (is_array($groups)) {
+				intval($remote_contact),
-					foreach ($groups as $g) {
+				DBA::escape($gs),
-						$gs .= '|<' . intval($g) . '>';
+				intval($remote_contact),
-					}
+				DBA::escape($gs)
-				}
+			);
 				$sql = sprintf(
 					" AND ( NOT (deny_cid REGEXP '<%d>' OR deny_gid REGEXP '%s')
 					  AND ( allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
 					  )
 					",
 					intval($cid),
 					DBA::escape($gs),
 					intval($cid),
 					DBA::escape($gs)
 				);
 			}
 		}
 		return $sql;
 	}
 }