From 8fbe0d46e9ba6e1ab84d821bb5e5339f726f553e Mon Sep 17 00:00:00 2001 From: Michael Date: Sat, 8 Dec 2018 20:28:01 +0000 Subject: [PATCH 1/2] Fix for remote authentication when visiting contact's pages --- mod/delegate.php | 2 ++ mod/display.php | 32 ++++++++------------------------ mod/profile.php | 41 ++++++++--------------------------------- src/Model/Contact.php | 31 +++++++++++++++++++++++++++++-- 4 files changed, 47 insertions(+), 59 deletions(-) diff --git a/mod/delegate.php b/mod/delegate.php index 280498db6..4bfc0e31b 100644 --- a/mod/delegate.php +++ b/mod/delegate.php @@ -163,6 +163,8 @@ function delegate_content(App $a) if (!is_null($parent_user)) { $parent_password = ['parent_password', L10n::t('Parent Password:'), '', L10n::t('Please enter the password of the parent account to legitimize your request.')]; + } else { + $parent_password = ''; } $o = Renderer::replaceMacros(Renderer::getMarkupTemplate('delegate.tpl'), [ diff --git a/mod/display.php b/mod/display.php index 74ad479a7..729ca4401 100644 --- a/mod/display.php +++ b/mod/display.php @@ -272,33 +272,17 @@ function display_content(App $a, $update = false, $update_uid = 0) $groups = []; - $contact = null; - $is_remote_contact = false; - - $contact_id = 0; - - if (!empty($_SESSION['remote']) && is_array($_SESSION['remote'])) { - foreach ($_SESSION['remote'] as $v) { - if ($v['uid'] == $a->profile['uid']) { - $contact_id = $v['cid']; - break; - } - } + $parent = Item::selectFirst(['uid'], ['uri' => $item_parent_uri, 'wall' => true]); + if (DBA::isResult($parent)) { + $a->profile['profile_uid'] = $parent['uid']; } - if ($contact_id) { - $groups = Group::getIdsByContactId($contact_id); - $remote_contact = DBA::selectFirst('contact', [], ['id' => $contact_id, 'uid' => $a->profile['uid']]); - if (DBA::isResult($remote_contact)) { - $contact = $remote_contact; - $is_remote_contact = true; - } - } + $is_remote_contact = Contact::isFollower(remote_user(), $a->profile['profile_uid']); - if (!$is_remote_contact) { - if (local_user()) { - $contact_id = $_SESSION['cid']; - $contact = $a->contact; + if ($is_remote_contact) { + $cdata = Contact::getPublicAndUserContacID(remote_user(), $a->profile['profile_uid']); + if (!empty($cdata['user'])) { + $groups = Group::getIdsByContactId($cdata['user']); } } diff --git a/mod/profile.php b/mod/profile.php index abbe65ccb..2c11f43b9 100644 --- a/mod/profile.php +++ b/mod/profile.php @@ -150,42 +150,17 @@ function profile_content(App $a, $update = 0) Nav::setSelected('home'); } - $contact = null; - $remote_contact = false; - - $contact_id = 0; - - if (!empty($_SESSION['remote'])) { - foreach ($_SESSION['remote'] as $v) { - if ($v['uid'] == $a->profile['profile_uid']) { - $contact_id = $v['cid']; - break; - } - } - } - - if ($contact_id) { - $groups = Group::getIdsByContactId($contact_id); - $r = q("SELECT * FROM `contact` WHERE `id` = %d AND `uid` = %d LIMIT 1", - intval($contact_id), - intval($a->profile['profile_uid']) - ); - if (DBA::isResult($r)) { - $contact = $r[0]; - $remote_contact = true; - } - } - - if (!$remote_contact) { - if (local_user()) { - $contact_id = $_SESSION['cid']; - $contact = $a->contact; - } - } - + $remote_contact = Contact::isFollower(remote_user(), $a->profile['profile_uid']); $is_owner = local_user() == $a->profile['profile_uid']; $last_updated_key = "profile:" . $a->profile['profile_uid'] . ":" . local_user() . ":" . remote_user(); + if ($remote_contact) { + $cdata = Contact::getPublicAndUserContacID(remote_user(), $a->profile['profile_uid']); + if (!empty($cdata['user'])) { + $groups = Group::getIdsByContactId($cdata['user']); + } + } + if (!empty($a->profile['hidewall']) && !$is_owner && !$remote_contact) { notice(L10n::t('Access to this profile has been restricted.') . EOL); return; diff --git a/src/Model/Contact.php b/src/Model/Contact.php index 4cc78e4d8..af6ad46d2 100644 --- a/src/Model/Contact.php +++ b/src/Model/Contact.php @@ -98,6 +98,29 @@ class Contact extends BaseObject * @} */ + /** + * @brief Tests if the given contact is a follower + * + * @param int $cid Either public contact id or user's contact id + * @param int $uid User ID + * + * @return boolean is the contact id a follower? + */ + public static function isFollower($cid, $uid) + { + if (self::isBlockedByUser($cid, $uid)) { + return false; + } + + $cdata = self::getPublicAndUserContacID($cid, $uid); + if (empty($cdata['user'])) { + return false; + } + + $condition = ['id' => $cdata['user'], 'rel' => [self::FOLLOWER, self::FRIEND]]; + return DBA::exists('contact', $condition); + } + /** * @brief Get the basepath for a given contact link * @todo Add functionality to store this value in the contact table @@ -125,7 +148,7 @@ class Contact extends BaseObject * * @return array with public and user's contact id */ - private static function getPublicAndUserContacID($cid, $uid) + public static function getPublicAndUserContacID($cid, $uid) { if (empty($uid) || empty($cid)) { return []; @@ -2054,6 +2077,10 @@ class Contact extends BaseObject */ public static function magicLink($contact_url, $url = '') { + if (!local_user()) { + return $url ?: $contact_url; // Equivalent to: ($url != '') ? $url : $contact_url; + } + $cid = self::getIdForURL($contact_url, 0, true); if (empty($cid)) { return $url ?: $contact_url; // Equivalent to: ($url != '') ? $url : $contact_url; @@ -2087,7 +2114,7 @@ class Contact extends BaseObject */ public static function magicLinkbyContact($contact, $url = '') { - if ($contact['network'] != Protocol::DFRN) { + if (!local_user() || ($contact['network'] != Protocol::DFRN)) { return $url ?: $contact['url']; // Equivalent to ($url != '') ? $url : $contact['url']; } From f2e2066d339dcd4f732219857a3bd9cb3144911b Mon Sep 17 00:00:00 2001 From: Michael Date: Sun, 9 Dec 2018 13:09:49 +0000 Subject: [PATCH 2/2] Non public content is now displayed again to visitors. --- include/conversation.php | 2 +- mod/display.php | 56 ++++++++++++++++++++++++++-------------- mod/profile.php | 7 ++--- src/Model/Item.php | 4 +-- 4 files changed, 43 insertions(+), 26 deletions(-) diff --git a/include/conversation.php b/include/conversation.php index 1c97a1abe..839b58b87 100644 --- a/include/conversation.php +++ b/include/conversation.php @@ -798,7 +798,7 @@ function conversation_add_children(array $parents, $block_authors, $order, $uid) foreach ($parents AS $parent) { $condition = ["`item`.`parent-uri` = ? AND `item`.`uid` IN (0, ?) ", - $parent['uri'], local_user()]; + $parent['uri'], $uid]; if ($block_authors) { $condition[0] .= "AND NOT `author`.`hidden`"; } diff --git a/mod/display.php b/mod/display.php index 729ca4401..f4a09b74e 100644 --- a/mod/display.php +++ b/mod/display.php @@ -26,6 +26,10 @@ use Friendica\Module\Objects; function display_init(App $a) { + if (ActivityPub::isRequest()) { + Objects::rawContent(); + } + if (Config::get('system', 'block_public') && !local_user() && !remote_user()) { return; } @@ -48,6 +52,7 @@ function display_init(App $a) } $item = null; + $item_user = local_user(); $fields = ['id', 'parent', 'author-id', 'body', 'uid', 'guid']; @@ -61,6 +66,16 @@ function display_init(App $a) if (DBA::isResult($item)) { $nick = $a->user["nickname"]; } + // Is this item private but could be visible to the remove visitor? + } elseif (remote_user()) { + $item = Item::selectFirst($fields, ['guid' => $a->argv[1], 'private' => 1]); + if (DBA::isResult($item)) { + if (!Contact::isFollower(remote_user(), $item['uid'])) { + $item = null; + } else { + $item_user = $item['uid']; + } + } } // Is it an item with uid=0? @@ -72,9 +87,7 @@ function display_init(App $a) } if (!DBA::isResult($item)) { - $a->error = 404; - notice(L10n::t('Item not found.') . EOL); - return; + System::httpExit(404); } if (!empty($_SERVER['HTTP_ACCEPT']) && strstr($_SERVER['HTTP_ACCEPT'], 'application/atom+xml')) { @@ -82,10 +95,6 @@ function display_init(App $a) displayShowFeed($item["id"], false); } - if (ActivityPub::isRequest()) { - Objects::rawContent(); - } - if ($item["id"] != $item["parent"]) { $item = Item::selectFirstForUser(local_user(), $fields, ['id' => $item["parent"]]); } @@ -225,7 +234,7 @@ function display_content(App $a, $update = false, $update_uid = 0) if ($a->argc == 2) { $item_parent = 0; - $fields = ['id', 'parent', 'parent-uri']; + $fields = ['id', 'parent', 'parent-uri', 'uid']; if (local_user()) { $condition = ['guid' => $a->argv[1], 'uid' => local_user()]; @@ -235,6 +244,13 @@ function display_content(App $a, $update = false, $update_uid = 0) $item_parent = $item["parent"]; $item_parent_uri = $item['parent-uri']; } + } elseif (remote_user()) { + $item = Item::selectFirst($fields, ['guid' => $a->argv[1], 'private' => 1]); + if (DBA::isResult($item) && Contact::isFollower(remote_user(), $item['uid'])) { + $item_id = $item["id"]; + $item_parent = $item["parent"]; + $item_parent_uri = $item['parent-uri']; + } } if ($item_parent == 0) { @@ -250,9 +266,7 @@ function display_content(App $a, $update = false, $update_uid = 0) } if (!$item_id) { - $a->error = 404; - notice(L10n::t('Item not found.').EOL); - return; + System::httpExit(404); } // We are displaying an "alternate" link if that post was public. See issue 2864 @@ -271,18 +285,22 @@ function display_content(App $a, $update = false, $update_uid = 0) '$conversation' => $conversation]); $groups = []; + $remote_cid = null; + $is_remote_contact = false; + $item_uid = local_user(); $parent = Item::selectFirst(['uid'], ['uri' => $item_parent_uri, 'wall' => true]); if (DBA::isResult($parent)) { $a->profile['profile_uid'] = $parent['uid']; + $is_remote_contact = Contact::isFollower(remote_user(), $a->profile['profile_uid']); } - $is_remote_contact = Contact::isFollower(remote_user(), $a->profile['profile_uid']); - if ($is_remote_contact) { $cdata = Contact::getPublicAndUserContacID(remote_user(), $a->profile['profile_uid']); if (!empty($cdata['user'])) { $groups = Group::getIdsByContactId($cdata['user']); + $remote_cid = $cdata['user']; + $item_uid = $parent['uid']; } } @@ -312,10 +330,9 @@ function display_content(App $a, $update = false, $update_uid = 0) ]; $o .= status_editor($a, $x, 0, true); } + $sql_extra = Item::getPermissionsSQLByUserId($a->profile['profile_uid'], $is_remote_contact, $groups, $remote_cid); - $sql_extra = Item::getPermissionsSQLByUserId($a->profile['uid'], $is_remote_contact, $groups); - - if (local_user() && (local_user() == $a->profile['uid'])) { + if (local_user() && (local_user() == $a->profile['profile_uid'])) { $condition = ['parent-uri' => $item_parent_uri, 'uid' => local_user(), 'unseen' => true]; $unseen = Item::exists($condition); } else { @@ -326,13 +343,12 @@ function display_content(App $a, $update = false, $update_uid = 0) return ''; } - $condition = ["`id` = ? AND `item`.`uid` IN (0, ?) " . $sql_extra, $item_id, local_user()]; + $condition = ["`id` = ? AND `item`.`uid` IN (0, ?) " . $sql_extra, $item_id, $item_uid]; $fields = ['parent-uri', 'body', 'title', 'author-name', 'author-avatar', 'plink']; $item = Item::selectFirstForUser(local_user(), $fields, $condition); if (!DBA::isResult($item)) { - notice(L10n::t('Item not found.') . EOL); - return $o; + System::httpExit(404); } $item['uri'] = $item['parent-uri']; @@ -346,7 +362,7 @@ function display_content(App $a, $update = false, $update_uid = 0) $o .= ""; } - $o .= conversation($a, [$item], new Pager($a->query_string), 'display', $update_uid, false, 'commented', local_user()); + $o .= conversation($a, [$item], new Pager($a->query_string), 'display', $update_uid, false, 'commented', $item_uid); // Preparing the meta header $description = trim(HTML::toPlaintext(BBCode::convert($item["body"], false), 0, true)); diff --git a/mod/profile.php b/mod/profile.php index 2c11f43b9..f84a4be19 100644 --- a/mod/profile.php +++ b/mod/profile.php @@ -139,6 +139,7 @@ function profile_content(App $a, $update = 0) require_once 'include/items.php'; $groups = []; + $remote_cid = null; $tab = 'posts'; $o = ''; @@ -158,6 +159,7 @@ function profile_content(App $a, $update = 0) $cdata = Contact::getPublicAndUserContacID(remote_user(), $a->profile['profile_uid']); if (!empty($cdata['user'])) { $groups = Group::getIdsByContactId($cdata['user']); + $remote_cid = $cdata['user']; } } @@ -211,9 +213,8 @@ function profile_content(App $a, $update = 0) } } - // Get permissions SQL - if $remote_contact is true, our remote user has been pre-verified and we already have fetched his/her groups - $sql_extra = Item::getPermissionsSQLByUserId($a->profile['profile_uid'], $remote_contact, $groups); + $sql_extra = Item::getPermissionsSQLByUserId($a->profile['profile_uid'], $remote_contact, $groups, $remote_cid); $sql_extra2 = ''; if ($update) { @@ -325,7 +326,7 @@ function profile_content(App $a, $update = 0) } } - $o .= conversation($a, $items, $pager, 'profile', $update, false, 'created', local_user()); + $o .= conversation($a, $items, $pager, 'profile', $update, false, 'created', $a->profile['profile_uid']); if (!$update) { $o .= $pager->renderMinimal(count($items)); diff --git a/src/Model/Item.php b/src/Model/Item.php index b0a346bc0..9acff3bfa 100644 --- a/src/Model/Item.php +++ b/src/Model/Item.php @@ -3214,7 +3214,7 @@ class Item extends BaseObject } } - public static function getPermissionsSQLByUserId($owner_id, $remote_verified = false, $groups = null) + public static function getPermissionsSQLByUserId($owner_id, $remote_verified = false, $groups = null, $remote_cid = null) { $local_user = local_user(); $remote_user = remote_user(); @@ -3237,7 +3237,7 @@ class Item extends BaseObject * If pre-verified, the caller is expected to have already * done this and passed the groups into this function. */ - $set = PermissionSet::get($owner_id, $remote_user, $groups); + $set = PermissionSet::get($owner_id, $remote_cid, $groups); if (!empty($set)) { $sql_set = " OR (`item`.`private` IN (1,2) AND `item`.`wall` AND `item`.`psid` IN (" . implode(',', $set) . "))";