friendica-github/src/Security/Security.php

<?php

// Copyright (C) 2010-2024, the Friendica project
// SPDX-FileCopyrightText: 2010-2024 the Friendica project
//
// SPDX-License-Identifier: AGPL-3.0-or-later

namespace Friendica\Security;

use Friendica\Database\DBA;
use Friendica\DI;
use Friendica\Model\Contact;
use Friendica\Model\Circle;
use Friendica\Model\User;

/**
 * Secures that User is allow to do requests
 */
class Security
{
	public static function canWriteToUserWall($owner)
	{
		static $verified = 0;

		if (!DI::userSession()->isAuthenticated()) {
			return false;
		}

		$uid = DI::userSession()->getLocalUserId();
		if ($uid == $owner) {
			return true;
		}

		if (DI::userSession()->getLocalUserId() && ($owner == 0)) {
			return true;
		}

		if (!empty($cid = DI::userSession()->getRemoteContactID($owner))) {
			// use remembered decision and avoid a DB lookup for each and every display item
			// DO NOT use this function if there are going to be multiple owners
			// We have a contact-id for an authenticated remote user, this block determines if the contact
			// belongs to this page owner, and has the necessary permissions to post content

			if ($verified === 2) {
				return true;
			} elseif ($verified === 1) {
				return false;
			} else {
				$user = User::getById($owner);
				if (!$user || $user['blockwall']) {
					$verified = 1;
					return false;
				}

				$contact = Contact::getById($cid);
				if ($contact || $contact['blocked'] || $contact['readonly'] || $contact['pending']) {
					$verified = 1;
					return false;
				}

				if (in_array($contact['rel'], [Contact::SHARING, Contact::FRIEND]) || ($user['page-flags'] == User::PAGE_FLAGS_COMMUNITY)) {
					$verified = 2;
					return true;
				} else {
					$verified = 1;
				}
			}
		}

		return false;
	}

	/**
	 * Create a permission string for an element based on the visitor
	 *
	 * @param integer $owner_id   User ID of the owner of the element
	 * @param boolean $accessible Should the element be accessible anyway?
	 * @return string SQL permissions
	 */
	public static function getPermissionsSQLByUserId(int $owner_id, bool $accessible = false)
	{
		$local_user = DI::userSession()->getLocalUserId();
		$remote_contact = DI::userSession()->getRemoteContactID($owner_id);
		$acc_sql = '';

		if ($accessible) {
			$acc_sql = ' OR `accessible`';
		}

		/*
		 * Construct permissions
		 *
		 * default permissions - anonymous user
		 */
		$sql = " AND (allow_cid = ''
			 AND allow_gid = ''
			 AND deny_cid  = ''
			 AND deny_gid  = ''" . $acc_sql . ") ";

		/*
		 * Profile owner - everything is visible
		 */
		if ($local_user && $local_user == $owner_id) {
			$sql = '';
		/*
		 * Authenticated visitor. Load the circles the visitor belongs to.
		 */
		} elseif ($remote_contact) {
			$circleIds = '<<>>'; // should be impossible to match

			foreach (Circle::getIdsByContactId($remote_contact) as $circleId) {
				$circleIds .= '|<' . intval($circleId) . '>';
			}

			$sql = sprintf(
				" AND (NOT (deny_cid REGEXP '<%d>' OR deny_gid REGEXP '%s')
				  AND (allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s'
				  OR (allow_cid = '' AND allow_gid = ''))" . $acc_sql . ") ",
				intval($remote_contact),
				DBA::escape($circleIds),
				intval($remote_contact),
				DBA::escape($circleIds)
			);
		}
		return $sql;
	}
}
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 14:19:58 +02:00			`<?php`
REUSE src directory 2024-08-24 15:27:00 +02:00
			`// Copyright (C) 2010-2024, the Friendica project`
			`// SPDX-FileCopyrightText: 2010-2024 the Friendica project`
			`//`
			`// SPDX-License-Identifier: AGPL-3.0-or-later`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 14:19:58 +02:00
Move ExAuth, FKOAuth1 & FKOAuthDataStore to own namespace `Friendica\Security` 2020-09-30 11:14:01 +02:00			`namespace Friendica\Security;`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 14:19:58 +02:00
			`use Friendica\Database\DBA;`
UserSession class [3] - Refactor src/ files excluding Module/Model 2022-10-20 21:22:47 +02:00			`use Friendica\DI;`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 14:19:58 +02:00			`use Friendica\Model\Contact;`
Replace "group" with "circle" in the rest of the code - Remaining mentions already mean "forum" 2023-05-13 19:54:35 -04:00			`use Friendica\Model\Circle;`
Move Contact::Page_* constants to User::PAGE_FLAGS_* 2019-01-06 12:37:48 -05:00			`use Friendica\Model\User;`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 14:19:58 +02:00
			`/**`
			`* Secures that User is allow to do requests`
			`*/`
Replace BaseObject class with DI::* calls 2019-12-15 23:28:01 +01:00			`class Security`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 14:19:58 +02:00			`{`
Renaming functions + moving functions from security to Model/Item and BaseModule + fix multiline comments 2018-10-17 21:30:41 +02:00			`public static function canWriteToUserWall($owner)`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 14:19:58 +02:00			`{`
			`static $verified = 0;`

UserSession class [3] - Refactor src/ files excluding Module/Model 2022-10-20 21:22:47 +02:00			`if (!DI::userSession()->isAuthenticated()) {`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 14:19:58 +02:00			`return false;`
			`}`

UserSession class [3] - Refactor src/ files excluding Module/Model 2022-10-20 21:22:47 +02:00			`$uid = DI::userSession()->getLocalUserId();`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 14:19:58 +02:00			`if ($uid == $owner) {`
			`return true;`
			`}`

UserSession class [3] - Refactor src/ files excluding Module/Model 2022-10-20 21:22:47 +02:00			`if (DI::userSession()->getLocalUserId() && ($owner == 0)) {`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 14:19:58 +02:00			`return true;`
			`}`

UserSession class [3] - Refactor src/ files excluding Module/Model 2022-10-20 21:22:47 +02:00			`if (!empty($cid = DI::userSession()->getRemoteContactID($owner))) {`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 14:19:58 +02:00			`// use remembered decision and avoid a DB lookup for each and every display item`
			`// DO NOT use this function if there are going to be multiple owners`
			`// We have a contact-id for an authenticated remote user, this block determines if the contact`
			`// belongs to this page owner, and has the necessary permissions to post content`

			`if ($verified === 2) {`
			`return true;`
			`} elseif ($verified === 1) {`
			`return false;`
			`} else {`
"q" call is replaced 2021-10-02 11:08:12 +00:00			`$user = User::getById($owner);`
			`if (!$user \|\| $user['blockwall']) {`
			`$verified = 1;`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 14:19:58 +02:00			`return false;`
			`}`

"q" call is replaced 2021-10-02 11:08:12 +00:00			`$contact = Contact::getById($cid);`
			`if ($contact \|\| $contact['blocked'] \|\| $contact['readonly'] \|\| $contact['pending']) {`
			`$verified = 1;`
			`return false;`
			`}`
Happy New Year 2023! 2023-01-01 09:36:24 -05:00
"q" call is replaced 2021-10-02 11:08:12 +00:00			`if (in_array($contact['rel'], [Contact::SHARING, Contact::FRIEND]) \|\| ($user['page-flags'] == User::PAGE_FLAGS_COMMUNITY)) {`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 14:19:58 +02:00			`$verified = 2;`
			`return true;`
			`} else {`
			`$verified = 1;`
			`}`
			`}`
			`}`

			`return false;`
			`}`

Issue 8371: Improvements for picture permissions 2020-03-08 13:16:59 +00:00			`/**`
			`* Create a permission string for an element based on the visitor`
			`*`
			`* @param integer $owner_id User ID of the owner of the element`
			`* @param boolean $accessible Should the element be accessible anyway?`
			`* @return string SQL permissions`
			`*/`
			`public static function getPermissionsSQLByUserId(int $owner_id, bool $accessible = false)`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 14:19:58 +02:00			`{`
UserSession class [3] - Refactor src/ files excluding Module/Model 2022-10-20 21:22:47 +02:00			`$local_user = DI::userSession()->getLocalUserId();`
			`$remote_contact = DI::userSession()->getRemoteContactID($owner_id);`
Issue 8371: Improvements for picture permissions 2020-03-08 13:16:59 +00:00			`$acc_sql = '';`

			`if ($accessible) {`
			$acc_sql = ' OR `accessible`';
			`}`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 14:19:58 +02:00
Renaming functions + moving functions from security to Model/Item and BaseModule + fix multiline comments 2018-10-17 21:30:41 +02:00			`/*`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 14:19:58 +02:00			`* Construct permissions`
			`*`
			`* default permissions - anonymous user`
			`*/`
Issue 8371: Improvements for picture permissions 2020-03-08 13:16:59 +00:00			`$sql = " AND (allow_cid = ''`
Fix permissions when viewing photos, applying same fix to items as well 2019-09-27 05:49:23 +00:00			`AND allow_gid = ''`
			`AND deny_cid = ''`
Issue 8371: Improvements for picture permissions 2020-03-08 13:16:59 +00:00			`AND deny_gid = ''" . $acc_sql . ") ";`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 14:19:58 +02:00
Renaming functions + moving functions from security to Model/Item and BaseModule + fix multiline comments 2018-10-17 21:30:41 +02:00			`/*`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 14:19:58 +02:00			`* Profile owner - everything is visible`
			`*/`
			`if ($local_user && $local_user == $owner_id) {`
			`$sql = '';`
Renaming functions + moving functions from security to Model/Item and BaseModule + fix multiline comments 2018-10-17 21:30:41 +02:00			`/*`
Replace "group" with "circle" in the rest of the code - Remaining mentions already mean "forum" 2023-05-13 19:54:35 -04:00			`* Authenticated visitor. Load the circles the visitor belongs to.`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 14:19:58 +02:00			`*/`
Renamed function, beginning to replace the "remote_user" function 2019-09-28 09:36:41 +00:00			`} elseif ($remote_contact) {`
Replace "group" with "circle" in the rest of the code - Remaining mentions already mean "forum" 2023-05-13 19:54:35 -04:00			`$circleIds = '<<>>'; // should be impossible to match`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 14:19:58 +02:00
Replace "group" with "circle" in the rest of the code - Remaining mentions already mean "forum" 2023-05-13 19:54:35 -04:00			`foreach (Circle::getIdsByContactId($remote_contact) as $circleId) {`
			`$circleIds .= '\|<' . intval($circleId) . '>';`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 14:19:58 +02:00			`}`
Renamed function, beginning to replace the "remote_user" function 2019-09-28 09:36:41 +00:00
			`$sql = sprintf(`
			`" AND (NOT (deny_cid REGEXP '<%d>' OR deny_gid REGEXP '%s')`
Issue 8371: Improvements for picture permissions 2020-03-08 13:16:59 +00:00			`AND (allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s'`
			`OR (allow_cid = '' AND allow_gid = ''))" . $acc_sql . ") ",`
Renamed function, beginning to replace the "remote_user" function 2019-09-28 09:36:41 +00:00			`intval($remote_contact),`
Replace "group" with "circle" in the rest of the code - Remaining mentions already mean "forum" 2023-05-13 19:54:35 -04:00			`DBA::escape($circleIds),`
Renamed function, beginning to replace the "remote_user" function 2019-09-28 09:36:41 +00:00			`intval($remote_contact),`
Replace "group" with "circle" in the rest of the code - Remaining mentions already mean "forum" 2023-05-13 19:54:35 -04:00			`DBA::escape($circleIds)`
Renamed function, beginning to replace the "remote_user" function 2019-09-28 09:36:41 +00:00			`);`
Move include/security tp /src/Core/Authentication and /src/Util/Security 2018-10-17 14:19:58 +02:00			`}`
			`return $sql;`
			`}`
			`}`