Append author's contact id to allowed contacts to prevent empty ACL for private posts
This commit is contained in:
parent
a7b8c4f8d5
commit
42d05bcc1b
|
|
@ -155,10 +155,6 @@ function photos_init(App $a) {
|
||||||
|
|
||||||
function photos_post(App $a)
|
function photos_post(App $a)
|
||||||
{
|
{
|
||||||
Logger::log('mod-photos: photos_post: begin' , Logger::DEBUG);
|
|
||||||
Logger::log('mod_photos: REQUEST ' . print_r($_REQUEST, true), Logger::DATA);
|
|
||||||
Logger::log('mod_photos: FILES ' . print_r($_FILES, true), Logger::DATA);
|
|
||||||
|
|
||||||
$phototypes = Images::supportedTypes();
|
$phototypes = Images::supportedTypes();
|
||||||
|
|
||||||
$can_post = false;
|
$can_post = false;
|
||||||
|
|
@ -184,10 +180,28 @@ function photos_post(App $a)
|
||||||
|
|
||||||
if (!$owner_record) {
|
if (!$owner_record) {
|
||||||
notice(DI::l10n()->t('Contact information unavailable'));
|
notice(DI::l10n()->t('Contact information unavailable'));
|
||||||
Logger::log('photos_post: unable to locate contact record for page owner. uid=' . $page_owner_uid);
|
DI::logger()->info('photos_post: unable to locate contact record for page owner. uid=' . $page_owner_uid);
|
||||||
exit();
|
exit();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$str_contact_allow = '';
|
||||||
|
$str_group_allow = '';
|
||||||
|
$str_contact_deny = '';
|
||||||
|
$str_group_deny = '';
|
||||||
|
|
||||||
|
if (($_REQUEST['visibility'] ?? '') !== 'public') {
|
||||||
|
$aclFormatter = DI::aclFormatter();
|
||||||
|
$str_contact_allow = isset($_REQUEST['contact_allow']) ? $aclFormatter->toString($_REQUEST['contact_allow']) : $owner_record['allow_cid'] ?? '';
|
||||||
|
$str_group_allow = isset($_REQUEST['group_allow']) ? $aclFormatter->toString($_REQUEST['group_allow']) : $owner_record['allow_gid'] ?? '';
|
||||||
|
$str_contact_deny = isset($_REQUEST['contact_deny']) ? $aclFormatter->toString($_REQUEST['contact_deny']) : $owner_record['deny_cid'] ?? '';
|
||||||
|
$str_group_deny = isset($_REQUEST['group_deny']) ? $aclFormatter->toString($_REQUEST['group_deny']) : $owner_record['deny_gid'] ?? '';
|
||||||
|
|
||||||
|
// Since we know from the visibility parameter it should be private, we have to prevent the empty ACL case
|
||||||
|
// that would make the item public. So we always append the author's contact id to the allowed contacts.
|
||||||
|
// See https://github.com/friendica/friendica/issues/9672
|
||||||
|
$str_contact_allow .= $aclFormatter->toString(\Friendica\Model\Contact::getPublicIdByUserId($page_owner_uid));
|
||||||
|
}
|
||||||
|
|
||||||
if ($a->argc > 3 && $a->argv[2] === 'album') {
|
if ($a->argc > 3 && $a->argv[2] === 'album') {
|
||||||
if (!Strings::isHex($a->argv[3])) {
|
if (!Strings::isHex($a->argv[3])) {
|
||||||
DI::baseUrl()->redirect('photos/' . $a->data['user']['nickname'] . '/album');
|
DI::baseUrl()->redirect('photos/' . $a->data['user']['nickname'] . '/album');
|
||||||
|
|
@ -313,13 +327,6 @@ function photos_post(App $a)
|
||||||
$albname = !empty($_POST['albname']) ? trim($_POST['albname']) : '';
|
$albname = !empty($_POST['albname']) ? trim($_POST['albname']) : '';
|
||||||
$origaname = !empty($_POST['origaname']) ? Strings::escapeTags(trim($_POST['origaname'])) : '';
|
$origaname = !empty($_POST['origaname']) ? Strings::escapeTags(trim($_POST['origaname'])) : '';
|
||||||
|
|
||||||
$aclFormatter = DI::aclFormatter();
|
|
||||||
|
|
||||||
$str_group_allow = !empty($_POST['group_allow']) ? $aclFormatter->toString($_POST['group_allow']) : '';
|
|
||||||
$str_contact_allow = !empty($_POST['contact_allow']) ? $aclFormatter->toString($_POST['contact_allow']) : '';
|
|
||||||
$str_group_deny = !empty($_POST['group_deny']) ? $aclFormatter->toString($_POST['group_deny']) : '';
|
|
||||||
$str_contact_deny = !empty($_POST['contact_deny']) ? $aclFormatter->toString($_POST['contact_deny']) : '';
|
|
||||||
|
|
||||||
$resource_id = $a->argv[3];
|
$resource_id = $a->argv[3];
|
||||||
|
|
||||||
if (!strlen($albname)) {
|
if (!strlen($albname)) {
|
||||||
|
|
@ -639,18 +646,6 @@ function photos_post(App $a)
|
||||||
$visible = 0;
|
$visible = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
$group_allow = $_REQUEST['group_allow'] ?? [];
|
|
||||||
$contact_allow = $_REQUEST['contact_allow'] ?? [];
|
|
||||||
$group_deny = $_REQUEST['group_deny'] ?? [];
|
|
||||||
$contact_deny = $_REQUEST['contact_deny'] ?? [];
|
|
||||||
|
|
||||||
$aclFormatter = DI::aclFormatter();
|
|
||||||
|
|
||||||
$str_group_allow = $aclFormatter->toString(is_array($group_allow) ? $group_allow : explode(',', $group_allow));
|
|
||||||
$str_contact_allow = $aclFormatter->toString(is_array($contact_allow) ? $contact_allow : explode(',', $contact_allow));
|
|
||||||
$str_group_deny = $aclFormatter->toString(is_array($group_deny) ? $group_deny : explode(',', $group_deny));
|
|
||||||
$str_contact_deny = $aclFormatter->toString(is_array($contact_deny) ? $contact_deny : explode(',', $contact_deny));
|
|
||||||
|
|
||||||
$ret = ['src' => '', 'filename' => '', 'filesize' => 0, 'type' => ''];
|
$ret = ['src' => '', 'filename' => '', 'filesize' => 0, 'type' => ''];
|
||||||
|
|
||||||
Hook::callAll('photo_post_file', $ret);
|
Hook::callAll('photo_post_file', $ret);
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue