Friendica/friendica-github
1
0
Fork 0
mirror of https://github.com/friendica/friendica synced 2025-04-27 07:10:12 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #7305 from deantownsley/imageauthfix

Browse source 
Make authentication work for local private images
This commit is contained in:
Hypolite Petovan 2019-06-23 15:18:15 -04:00 committed by GitHub
commit fa191bd821
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 30 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

22
src/Protocol/DFRN.php
View file

@ -2899,7 +2899,12 @@ class DFRN
{
// prevent looping
if (!empty($_REQUEST['redir'])) {
return;
Logger::log('autoRedir might be looping because redirect has been redirected', Logger::DEBUG);
// looping prevention also appears to sometimes prevent authentication for images
// because browser may have multiple connections open and load an image on a connection
// whose session wasn't updated when a previous redirect authenticated
// Leaving commented in case looping reappears
//return;
}
if ((! $contact_nick) || ($contact_nick === $a->user['nickname'])) {
@ -2923,6 +2928,9 @@ class DFRN
$baseurl = substr($baseurl, $domain_st + 3);
$nurl = Strings::normaliseLink($baseurl);
$r = User::getByNickname($contact_nick, ["uid"]);
$contact_uid = $r["uid"];
/// @todo Why is there a query for "url" *and* "nurl"? Especially this normalising is strange.
$r = q("SELECT `id` FROM `contact` WHERE `uid` = (SELECT `uid` FROM `user` WHERE `nickname` = '%s' LIMIT 1)
AND `nick` = '%s' AND NOT `self` AND (`url` LIKE '%%%s%%' OR `nurl` LIKE '%%%s%%') AND NOT `blocked` AND NOT `pending` LIMIT 1",
@ -2931,9 +2939,19 @@ class DFRN
DBA::escape($baseurl),
DBA::escape($nurl)
);
if ((! DBA::isResult($r)) || $r[0]['id'] == remote_user()) {
if ((! DBA::isResult($r))) {
return;
}
// test if redirect authentication already succeeded
// Note that "contact" in the sense used in the $contact_nick argument to this function
// and the sense in the $remote[]["cid"] in the session are opposite.
// In the session variable the user currently fetching is the contact
// while $contact_nick is the nick of tho user who owns the stuff being fetched.
foreach (\Friendica\Core\Session::get('remote', []) as $visitor) {
if ($visitor['uid'] == $contact_uid && $visitor['cid'] == $r[0]['id']) {
return;
}
}
$r = q("SELECT * FROM contact WHERE nick = '%s'
AND network = '%s' AND uid = %d AND url LIKE '%%%s%%' LIMIT 1",