Ensure that public contacts can't create toplevel posts

This commit is contained in:
Michael 2018-03-30 06:20:00 +00:00
parent c9f02d534e
commit 1613f2a1c4
2 changed files with 15 additions and 12 deletions

View file

@ -55,7 +55,6 @@ function dfrn_notify_post(App $a) {
} }
// Set the user id. This is important if this is a public contact // Set the user id. This is important if this is a public contact
$importer['uid'] = $user['uid'];
$importer['importer_uid'] = $user['uid']; $importer['importer_uid'] = $user['uid'];
// Now we should be able to import it // Now we should be able to import it

View file

@ -1433,7 +1433,7 @@ class DFRN
$contact_old = dba::fetch_first("SELECT `id`, `uid`, `url`, `network`, `avatar-date`, `avatar`, `name-date`, `uri-date`, `addr`, $contact_old = dba::fetch_first("SELECT `id`, `uid`, `url`, `network`, `avatar-date`, `avatar`, `name-date`, `uri-date`, `addr`,
`name`, `nick`, `about`, `location`, `keywords`, `xmpp`, `bdyear`, `bd`, `hidden`, `contact-type` `name`, `nick`, `about`, `location`, `keywords`, `xmpp`, `bdyear`, `bd`, `hidden`, `contact-type`
FROM `contact` WHERE `uid` = ? AND `nurl` = ? AND `network` != ?", FROM `contact` WHERE `uid` = ? AND `nurl` = ? AND `network` != ?",
$importer["uid"], $importer["importer_uid"],
normalise_link($author["link"]), normalise_link($author["link"]),
NETWORK_STATUSNET NETWORK_STATUSNET
); );
@ -1443,7 +1443,7 @@ class DFRN
$author["network"] = $contact_old["network"]; $author["network"] = $contact_old["network"];
} else { } else {
if (!$onlyfetch) { if (!$onlyfetch) {
logger("Contact ".$author["link"]." wasn't found for user ".$importer["uid"]." XML: ".$xml, LOGGER_DEBUG); logger("Contact ".$author["link"]." wasn't found for user ".$importer["importer_uid"]." XML: ".$xml, LOGGER_DEBUG);
} }
$author["contact-id"] = $importer["id"]; $author["contact-id"] = $importer["id"];
@ -1639,7 +1639,7 @@ class DFRN
Contact::updateAvatar( Contact::updateAvatar(
$author['avatar'], $author['avatar'],
$importer['uid'], $importer['importer_uid'],
$contact['id'], $contact['id'],
(strtotime($contact['avatar-date']) > strtotime($contact_old['avatar-date']) || ($author['avatar'] != $contact_old['avatar'])) (strtotime($contact['avatar-date']) > strtotime($contact_old['avatar-date']) || ($author['avatar'] != $contact_old['avatar']))
); );
@ -1657,7 +1657,7 @@ class DFRN
$poco["contact-type"] = $contact["contact-type"]; $poco["contact-type"] = $contact["contact-type"];
$gcid = GContact::update($poco); $gcid = GContact::update($poco);
GContact::link($gcid, $importer["uid"], $contact["id"]); GContact::link($gcid, $importer["importer_uid"], $contact["id"]);
} }
return $author; return $author;
@ -2617,7 +2617,7 @@ class DFRN
if ((x($ev, "desc") || x($ev, "summary")) && x($ev, "start")) { if ((x($ev, "desc") || x($ev, "summary")) && x($ev, "start")) {
logger("Event in item ".$item["uri"]." was found.", LOGGER_DEBUG); logger("Event in item ".$item["uri"]." was found.", LOGGER_DEBUG);
$ev["cid"] = $importer["id"]; $ev["cid"] = $importer["id"];
$ev["uid"] = $importer["uid"]; $ev["uid"] = $importer["importer_uid"];
$ev["uri"] = $item["uri"]; $ev["uri"] = $item["uri"];
$ev["edited"] = $item["edited"]; $ev["edited"] = $item["edited"];
$ev["private"] = $item["private"]; $ev["private"] = $item["private"];
@ -2626,7 +2626,7 @@ class DFRN
$r = q( $r = q(
"SELECT `id` FROM `event` WHERE `uri` = '%s' AND `uid` = %d LIMIT 1", "SELECT `id` FROM `event` WHERE `uri` = '%s' AND `uid` = %d LIMIT 1",
dbesc($item["uri"]), dbesc($item["uri"]),
intval($importer["uid"]) intval($importer["importer_uid"])
); );
if (DBM::is_result($r)) { if (DBM::is_result($r)) {
$ev["id"] = $r[0]["id"]; $ev["id"] = $r[0]["id"];
@ -2681,6 +2681,10 @@ class DFRN
return true; return true;
} }
} else { // $entrytype == DFRN_TOP_LEVEL } else { // $entrytype == DFRN_TOP_LEVEL
if ($importer["uid"] == 0) {
logger("Contact ".$importer["id"]." isn't known to user ".$importer["importer_uid"].". The post will be ignored.", LOGGER_DEBUG);
return;
}
if (!link_compare($item["owner-link"], $importer["url"])) { if (!link_compare($item["owner-link"], $importer["url"])) {
/* /*
* The item owner info is not our contact. It's OK and is to be expected if this is a tgroup delivery, * The item owner info is not our contact. It's OK and is to be expected if this is a tgroup delivery,
@ -2736,10 +2740,10 @@ class DFRN
return false; return false;
} }
$condition = ["`uri` = ? AND `uid` = ? AND NOT `file` LIKE '%[%'", $uri, $importer["uid"]]; $condition = ["`uri` = ? AND `uid` = ? AND NOT `file` LIKE '%[%'", $uri, $importer["importer_uid"]];
$item = dba::selectFirst('item', ['id', 'parent', 'contact-id'], $condition); $item = dba::selectFirst('item', ['id', 'parent', 'contact-id'], $condition);
if (!DBM::is_result($item)) { if (!DBM::is_result($item)) {
logger("Item with uri " . $uri . " for user " . $importer["uid"] . " wasn't found.", LOGGER_DEBUG); logger("Item with uri " . $uri . " for user " . $importer["importer_uid"] . " wasn't found.", LOGGER_DEBUG);
return; return;
} }
@ -2808,7 +2812,7 @@ class DFRN
$xpath->registerNamespace("statusnet", NAMESPACE_STATUSNET); $xpath->registerNamespace("statusnet", NAMESPACE_STATUSNET);
$header = []; $header = [];
$header["uid"] = $importer["uid"]; $header["uid"] = $importer["importer_uid"];
$header["network"] = NETWORK_DFRN; $header["network"] = NETWORK_DFRN;
$header["type"] = "remote"; $header["type"] = "remote";
$header["wall"] = 0; $header["wall"] = 0;
@ -2827,7 +2831,7 @@ class DFRN
self::fetchauthor($xpath, $doc->firstChild, $importer, "dfrn:owner", false, $xml); self::fetchauthor($xpath, $doc->firstChild, $importer, "dfrn:owner", false, $xml);
} }
logger("Import DFRN message for user " . $importer["uid"] . " from contact " . $importer["id"], LOGGER_DEBUG); logger("Import DFRN message for user " . $importer["importer_uid"] . " from contact " . $importer["id"], LOGGER_DEBUG);
// The account type is new since 3.5.1 // The account type is new since 3.5.1
if ($xpath->query("/atom:feed/dfrn:account_type")->length > 0) { if ($xpath->query("/atom:feed/dfrn:account_type")->length > 0) {
@ -2895,7 +2899,7 @@ class DFRN
self::processEntry($header, $xpath, $entry, $importer, $xml); self::processEntry($header, $xpath, $entry, $importer, $xml);
} }
} }
logger("Import done for user " . $importer["uid"] . " from contact " . $importer["id"], LOGGER_DEBUG); logger("Import done for user " . $importer["importer_uid"] . " from contact " . $importer["id"], LOGGER_DEBUG);
return 200; return 200;
} }