Merge pull request #3 from redmatrix/master

updating from original codebase
2024-09-23 22:15:12 +00:00 · 2015-09-22 13:11:54 +02:00 · 2015-09-22 13:11:54 +02:00 · 5ec3d3e36d
commit 5ec3d3e36d
parent 49d11ed9f8 4b13f0e025
18 changed files with 313 additions and 150 deletions
--- a/boot.php
+++ b/boot.php
@ -50,7 +50,7 @@ define ( 'PLATFORM_NAME',           'hubzilla' );
 define ( 'RED_VERSION',             trim(file_get_contents('version.inc')) . 'H');
 define ( 'ZOT_REVISION',            1     );
-define ( 'DB_UPDATE_VERSION',       1153  );
+define ( 'DB_UPDATE_VERSION',       1154  );
 /**
 * @brief Constant with a HTML line break.
--- a/include/ItemObject.php
+++ b/include/ItemObject.php
@ -286,6 +286,7 @@ class Item extends BaseObject {
 			'body' => $body,
 			'text' => strip_tags($body),
 			'id' => $this->get_id(),
 			'mid' => $item['mid'],
 			'isevent' => $isevent,
 			'attend' => $attend,
 			'consensus' => $consensus,
@ -301,6 +302,7 @@ class Item extends BaseObject {
 			'vwall' => t('via Wall-To-Wall:'),
 			'profile_url' => $profile_link,
 			'item_photo_menu' => item_photo_menu($item),
 			'dreport' => t('Delivery Report'),
 			'name' => $profile_name,
 			'thumb' => $profile_avatar,
 			'osparkle' => $osparkle,
--- a/include/deliver.php
+++ b/include/deliver.php
@ -15,7 +15,10 @@ function deliver_run($argv, $argc) {
 	logger('deliver: invoked: ' . print_r($argv,true), LOGGER_DATA);
 	for($x = 1; $x < $argc; $x ++) {
 		$dresult = null;
 		$r = q("select * from outq where outq_hash = '%s' limit 1",
 			dbesc($argv[$x])
 		);
@ -98,11 +101,29 @@ function deliver_run($argv, $argc) {
 					}	
 					else {	
 						$msg = array('body' => json_encode(array('success' => true, 'pickup' => array(array('notify' => $notify,'message' => $m)))));
-						zot_import($msg,z_root());
+						$dresult = zot_import($msg,z_root());
 					}
 					$r = q("delete from outq where outq_hash = '%s'",
 						dbesc($argv[$x])
 					);
 					if($dresult && is_array($dresult)) {
 						foreach($dresult as $xx) {
 							if(is_array($xx) && array_key_exists('message_id',$xx)) {
 								q("insert into dreport ( dreport_mid, dreport_site, dreport_recip, dreport_result, dreport_time, dreport_xchan ) values ( '%s', '%s','%s','%s','%s','%s' ) ",
 									dbesc($xx['message_id']),
 									dbesc($xx['location']),
 									dbesc($xx['recipient']),
 									dbesc($xx['status']),
 									dbesc(datetime_convert($xx['date'])),
 									dbesc($xx['sender'])
 								);
 							}
 						}
 					}
 					q("delete from dreport where dreport_queue = '%s' limit 1",
 						dbesc($argv[$x])
 					);
 				}
 			}
 			else {
--- a/include/items.php
+++ b/include/items.php
@ -4417,6 +4417,18 @@ function delete_item_lowlevel($item, $stage = DROPITEM_NORMAL, $force = false) {
 		intval($item['uid'])
 	);
 	// remove delivery reports
 	$c = q("select channel_hash from channel where channel_id = %d limit 1",
 		intval($item['uid'])
 	);
 	if($c) {
 		q("delete from dreport where dreport_xchan = '%s' and  dreport_mid = '%s'",
 			dbesc($c[0]['channel_hash']),
 			dbesc($item['mid'])
 		);
 	}
 	// network deletion request. Keep the message structure so that we can deliver delete notifications.
 	// Come back after several days (or perhaps a month) to do the lowlevel delete (DROPITEM_PHASE2).
--- a/include/notifier.php
+++ b/include/notifier.php
@ -662,6 +662,18 @@ function notifier_run($argv, $argc){
 				dbesc($n),
 				dbesc(json_encode($encoded_item))
 			);
 			// only create delivery reports for normal undeleted items
 			if(array_key_exists('postopts',$target_item) && (! $target_item['item_deleted'])) {
 				q("insert into dreport ( dreport_mid, dreport_site, dreport_recip, dreport_result, dreport_time, dreport_xchan, dreport_queue ) values ( '%s','%s','%s','%s','%s','%s','%s' ) ",
 					dbesc($target_item['mid']),
 					dbesc($hub['hubloc_host']),
 					dbesc($hub['hubloc_host']),
 					dbesc('queued'),
 					dbesc(datetime_convert()),
 					dbesc($channel['channel_hash']),
 					dbesc($hash)
 				);
 			}
 		}
 		$deliver[] = $hash;
--- a/include/poller.php
+++ b/include/poller.php
@ -201,6 +201,17 @@ function poller_run($argv, $argc){
 			db_utcnow(), db_quoteinterval('30 DAY')
 		);
 		// expire old delivery reports
 		$keep_reports = intval(get_config('system','expire_delivery_reports'));
 		if($keep_reports === 0)
 			$keep_reports = 30;
 		q("delete from dreport where dreport_time < %s - INTERVAL %s",
 			db_utcnow(),
 			db_quoteinterval($keep_reports . ' DAY')
 		);
 		// expire any expired accounts
 		downgrade_accounts();
--- a/include/zot.php
+++ b/include/zot.php
@ -957,6 +957,25 @@ function zot_process_response($hub, $arr, $outq) {
 		logger('zot_process_response: headers: ' . print_r($arr['header'],true), LOGGER_DATA);
 	}
 	if(array_key_exists('delivery_report',$x)) {
 		foreach($x['delivery_report'] as $xx) {
 			if(is_array($xx) && array_key_exists('message_id',$xx)) {
 				q("insert into dreport ( dreport_mid, dreport_site, dreport_recip, dreport_result, dreport_time, dreport_xchan ) values ( '%s', '%s','%s','%s','%s','%s' ) ",
 					dbesc($xx['message_id']),
 					dbesc($xx['location']),
 					dbesc($xx['recipient']),
 					dbesc($xx['status']),
 					dbesc(datetime_convert($xx['date'])),
 					dbesc($xx['sender'])
 				);
 			}
 		}
 	}
 	q("delete from dreport where dreport_queue = '%s' limit 1",
 		dbesc($outq['outq_hash'])
 	);
 	// update the timestamp for this site
 	q("update site set site_dead = 0, site_update = '%s' where site_url = '%s'",
@ -1564,6 +1583,13 @@ function process_delivery($sender, $arr, $deliveries, $relay, $public = false, $
 		$DR->addto_recipient($channel['channel_name'] . ' <' . $channel['channel_address'] . '@' . get_app()->get_hostname() . '>');
 		if($d['hash'] === $sender['hash']) {
 			$DR->update('self delivery ignored');
 			$result[] = $DR->get();
 			continue;
 		}
 		// allow public postings to the sys channel regardless of permissions, but not
 		// for comments travelling upstream. Wait and catch them on the way down.
 		// They may have been blocked by the owner.
--- a/install/schema_mysql.sql
+++ b/install/schema_mysql.sql
@ -359,11 +359,13 @@ CREATE TABLE IF NOT EXISTS `dreport` (
  `dreport_result` char(255) NOT NULL DEFAULT '',
  `dreport_time` datetime NOT NULL DEFAULT '0000-00-00 00:00:00',
  `dreport_xchan` char(255) NOT NULL DEFAULT '',
  `dreport_queue` char(255) NOT NULL DEFAULT '',
  PRIMARY KEY (`dreport_id`),
  KEY `dreport_mid` (`dreport_mid`),
  KEY `dreport_site` (`dreport_site`),
  KEY `dreport_time` (`dreport_time`),
  KEY `dreport_xchan` (`dreport_xchan`),
  KEY `dreport_queue` (`dreport_queue`),
  KEY `dreport_channel` (`dreport_channel`)
 ) ENGINE=MyISAM DEFAULT CHARSET=utf8;
--- a/install/schema_postgres.sql
+++ b/install/schema_postgres.sql
@ -350,6 +350,7 @@ CREATE TABLE IF NOT EXISTS "dreport" (
  "dreport_result" char(255) NOT NULL DEFAULT '',
  "dreport_time" timestamp NOT NULL DEFAULT '0001-01-01 00:00:00',
  "dreport_xchan" char(255) NOT NULL DEFAULT '',
  "dreport_queue" char(255) NOT NULL DEFAULT '',
  PRIMARY KEY ("dreport_id")
 );
@ -357,6 +358,7 @@ create index "dreport_mid" on dreport ("dreport_mid");
 create index "dreport_site" on dreport ("dreport_site");
 create index "dreport_time" on dreport ("dreport_time");
 create index "dreport_xchan" on dreport ("dreport_xchan");
 create index "dreport_queue" on dreport ("dreport_queue");
 create index "dreport_channel" on dreport ("dreport_channel");
--- a/install/update.php
+++ b/install/update.php
@ -1,6 +1,6 @@
 <?php
-define( 'UPDATE_VERSION' , 1153 );
+define( 'UPDATE_VERSION' , 1154 );
 /**
 *
@ -1854,3 +1854,14 @@ function update_r1152() {
    return UPDATE_FAILED;
 }
 function update_r1153() {
 	$r1 = q("ALTER TABLE dreport ADD dreport_queue CHAR( 255 ) NOT NULL DEFAULT '' ");
 	$r2 = q("create index dreport_queue on dreport ( dreport_queue) ");
    if($r1 && $r2)
        return UPDATE_SUCCESS;
    return UPDATE_FAILED;
 }
--- a/mod/cloud.php
+++ b/mod/cloud.php
@ -73,6 +73,8 @@ function cloud_init(&$a) {
 	$server->addPlugin($lockPlugin);
 /* This next bit should no longer be needed... */
 	// The next section of code allows us to bypass prompting for http-auth if a
 	// FILE is being accessed anonymously and permissions allow this. This way
 	// one can create hotlinks to public media files in their cloud and anonymous
@ -83,24 +85,24 @@ function cloud_init(&$a) {
 	// In order to avoid prompting for passwords for viewing a DIRECTORY, add
 	// the URL query parameter 'davguest=1'.
-	$isapublic_file = false;
+//	$isapublic_file = false;
-	$davguest = ((x($_SESSION, 'davguest')) ? true : false);
+//	$davguest = ((x($_SESSION, 'davguest')) ? true : false);
-	if ((! $auth->observer) && ($_SERVER['REQUEST_METHOD'] === 'GET')) {
+//	if ((! $auth->observer) && ($_SERVER['REQUEST_METHOD'] === 'GET')) {
-		try { 
+//		try { 
-			$x = RedFileData('/' . $a->cmd, $auth);
+//			$x = RedFileData('/' . $a->cmd, $auth);
-			if($x instanceof RedDAV\RedFile)
+//			if($x instanceof RedDAV\RedFile)
-				$isapublic_file = true;
+//				$isapublic_file = true;
-		}
+//		}
-		catch (Exception $e) {
+//		catch (Exception $e) {
-			$isapublic_file = false;
+//			$isapublic_file = false;
-		}
+//		}
-	}
+//	}
-	if ((! $auth->observer) && (! $isapublic_file) && (! $davguest)) {
+//	if ((! $auth->observer) && (! $isapublic_file) && (! $davguest)) {
-		logger('mod_cloud: auth exception');
+//		logger('mod_cloud: auth exception');
-		http_status_exit(401, 'Permission denied.');
+//		http_status_exit(401, 'Permission denied.');
-	}
+//	}
 	require_once('include/RedDAV/RedBrowser.php');
 	// provide a directory view for the cloud in Hubzilla
--- a/mod/dreport.php
+++ b/mod/dreport.php
@ -0,0 +1,43 @@
 <?php
 function dreport_content(&$a) {
 	if(! local_channel()) {
 		notice( t('Permission denied') . EOL);
 		return;
 	}
 	$channel = $a->get_channel();
 	$mid = ((argc() > 1) ? argv(1) : '');
 	if(! $mid) {
 		notice( t('Invalid message') . EOL);
 		return;
 	}
 	$r = q("select * from dreport where dreport_xchan = '%s' and dreport_mid = '%s'",
 		dbesc($channel['channel_hash']),
 		dbesc($mid)
 	);
 	if(! $r) {
 		notice( t('no results') . EOL);
 		return;
 	}
 	$o .= '<h2>' . sprintf( t('Delivery report for %1$s'),substr($mid,0,32)) . '...' . '</h2>';
 	$o .= '<table>';
 	foreach($r as $rr) {
 		$name = escape_tags(substr($rr['dreport_recip'],strpos($rr['dreport_recip'],' ')));
 		$o .= '<tr><td>' . $name . '</td><td>' . escape_tags($rr['dreport_result']) . '</td><td>' . escape_tags($rr['dreport_time']) . '</td></tr>';
 	}
 	$o .= '</table>';
 	return $o;
 }
--- a/mod/item.php
+++ b/mod/item.php
@ -641,6 +641,7 @@ function item_post(&$a) {
 	$item_unseen = ((local_channel() != $profile_uid) ? 1 : 0);
 	$item_wall = (($post_type === 'wall' || $post_type === 'wall-comment') ? 1 : 0);
 	$item_origin = (($origin) ? 1 : 0);
 	$item_consensus = (($consensus) ? 1 : 0);
 	// determine if this is a wall post
--- a/mod/locs.php
+++ b/mod/locs.php
@ -50,8 +50,17 @@ function locs_post(&$a) {
 				return;
 			}
 			if(intval($r[0]['hubloc_primary'])) {
-				notice( t('Primary location cannot be removed.') . EOL);
+				$x = q("select hubloc_id from hubloc where hubloc_primary = 1 and hubloc_hash = '%s'",
-				return;
+					dbesc($channel['channel_hash'])
 				);
 				if(! $x) {
 					notice( t('Location lookup failed.'));
 					return;
 				}
 				if(count($x) == 1) {
 					notice( t('Please select another location to become primary before removing the primary location.') . EOL);
 					return;
 				}
 			}
 			$r = q("update hubloc set hubloc_deleted = 1 where hubloc_id = %d and hubloc_hash = '%s'",
@ -91,8 +100,6 @@ function locs_content(&$a) {
 		$r[$x]['deleted'] = (intval($r[$x]['hubloc_deleted']) ? true : false);
 	}
 	$o = replace_macros(get_markup_template('locmanage.tpl'), array(
 		'$header' => t('Manage Channel Locations'),
 		'$loc' => t('Location (address)'),
--- a/mod/post.php
+++ b/mod/post.php
@ -117,7 +117,7 @@ function post_init(&$a) {
 		}
 		// Try and find a hubloc for the person attempting to auth
-		$x = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash where hubloc_addr = '%s' order by hubloc_id desc limit 1",
+		$x = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash where hubloc_addr = '%s' order by hubloc_id desc",
 			dbesc($address)
 		);
@ -128,7 +128,7 @@ function post_init(&$a) {
 				$j = json_decode($ret['body'], true);
 				if ($j)
 					import_xchan($j);
-				$x = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash where hubloc_addr = '%s' order by hubloc_id desc limit 1",
+				$x = q("select * from hubloc left join xchan on xchan_hash = hubloc_hash where hubloc_addr = '%s' order by hubloc_id desc",
 					dbesc($address)
 				);
 			}
@ -144,152 +144,159 @@ function post_init(&$a) {
 			goaway($desturl);
 		}
 		logger('mod_zot: auth request received from ' . $x[0]['hubloc_addr'] ); 
-		// check credentials and access
+		foreach($x as $xx) {
 			logger('mod_zot: auth request received from ' . $xx['hubloc_addr'] ); 
-		// If they are already authenticated and haven't changed credentials, 
+			// check credentials and access
 		// we can save an expensive network round trip and improve performance.
-		$remote = remote_channel();
+			// If they are already authenticated and haven't changed credentials, 
-		$result = null;
+			// we can save an expensive network round trip and improve performance.
 		$remote_service_class = '';
 		$remote_level = 0;
 		$remote_hub = $x[0]['hubloc_url'];
 		$DNT = 0;
-		// Also check that they are coming from the same site as they authenticated with originally.
+			$remote = remote_channel();
 			$result = null;
 			$remote_service_class = '';
 			$remote_level = 0;
 			$remote_hub = $xx['hubloc_url'];
 			$DNT = 0;
-		$already_authed = ((($remote) && ($x[0]['hubloc_hash'] == $remote) && ($x[0]['hubloc_url'] === $_SESSION['remote_hub'])) ? true : false); 
+			// Also check that they are coming from the same site as they authenticated with originally.
 		if($delegate && $delegate !== $_SESSION['delegate_channel'])
 			$already_authed = false;
-		$j = array();
+			$already_authed = ((($remote) && ($xx['hubloc_hash'] == $remote) && ($xx['hubloc_url'] === $_SESSION['remote_hub'])) ? true : false); 
 			if($delegate && $delegate !== $_SESSION['delegate_channel'])
 				$already_authed = false;
-		if (! $already_authed) {
+			$j = array();
-			// Auth packets MUST use ultra top-secret hush-hush mode - e.g. the entire packet is encrypted using the site private key
+			if (! $already_authed) {
 			// The actual channel sending the packet ($c[0]) is not important, but this provides a generic zot packet with a sender
 			// which can be verified
-			$p = zot_build_packet($c[0],$type = 'auth_check', array(array('guid' => $x[0]['hubloc_guid'],'guid_sig' => $x[0]['hubloc_guid_sig'])), $x[0]['hubloc_sitekey'], $sec);
+				// Auth packets MUST use ultra top-secret hush-hush mode - e.g. the entire packet is encrypted using the site private key
-			if ($test) {
+				// The actual channel sending the packet ($c[0]) is not important, but this provides a generic zot packet with a sender
-				$ret['message'] .= 'auth check packet created using sitekey ' . $x[0]['hubloc_sitekey'] . EOL;
+				// which can be verified
 				$ret['message'] .= 'packet contents: ' . $p . EOL;
 			}
-			$result = zot_zot($x[0]['hubloc_callback'],$p);
+				$p = zot_build_packet($c[0],$type = 'auth_check', array(array('guid' => $xx['hubloc_guid'],'guid_sig' => $xx['hubloc_guid_sig'])), $xx['hubloc_sitekey'], $sec);
 			if (! $result['success']) {
 				logger('mod_zot: auth_check callback failed.');
 				if ($test) {
-					$ret['message'] .= 'auth check request to your site returned .' . print_r($result, true) . EOL;
+					$ret['message'] .= 'auth check packet created using sitekey ' . $xx['hubloc_sitekey'] . EOL;
-					json_return_and_die($ret);
+					$ret['message'] .= 'packet contents: ' . $p . EOL;
 				}
-				goaway($desturl);
+				$result = zot_zot($xx['hubloc_callback'],$p);
 			}
 			$j = json_decode($result['body'], true);
 			if (! $j) {
 				logger('mod_zot: auth_check json data malformed.');
 				if($test) {
 					$ret['message'] .= 'json malformed: ' . $result['body'] . EOL;
 					json_return_and_die($ret);
 				}
 			}
 		}
-		if ($test) {
+				if (! $result['success']) {
-			$ret['message'] .= 'auth check request returned .' . print_r($j, true) . EOL;
+					logger('mod_zot: auth_check callback failed.');
 		}
 		if ($already_authed || $j['success']) {
 			if ($j['success']) {
 				// legit response, but we do need to check that this wasn't answered by a man-in-middle
 				if (! rsa_verify($sec . $x[0]['xchan_hash'],base64url_decode($j['confirm']),$x[0]['xchan_pubkey'])) {
 					logger('mod_zot: auth: final confirmation failed.');
 					if ($test) {
-						$ret['message'] .= 'final confirmation failed. ' . $sec . print_r($j,true) . print_r($x[0],true);
+						$ret['message'] .= 'auth check request to your site returned .' . print_r($result, true) . EOL;
-						json_return_and_die($ret);
+						continue;
 					}
-
+					continue;
 					goaway($desturl);
 				}
-				if (array_key_exists('service_class',$j))
+				$j = json_decode($result['body'], true);
-					$remote_service_class = $j['service_class'];
+				if (! $j) {
-				if (array_key_exists('level',$j))
+					logger('mod_zot: auth_check json data malformed.');
-					$remote_level = $j['level'];
+					if($test) {
-				if (array_key_exists('DNT',$j))
+						$ret['message'] .= 'json malformed: ' . $result['body'] . EOL;
-					$DNT = $j['DNT'];
+						continue;
 			}
 			// everything is good... maybe
 			if(local_channel()) {
 				// tell them to logout if they're logged in locally as anything but the target remote account
 				// in which case just shut up because they don't need to be doing this at all.
 				if ($a->channel['channel_hash'] != $x[0]['xchan_hash']) {
 					logger('mod_zot: auth: already authenticated locally as somebody else.');
 					notice( t('Remote authentication blocked. You are logged into this site locally. Please logout and retry.') . EOL);
 					if ($test) {
 						$ret['message'] .= 'already logged in locally with a conflicting identity.' . EOL;
 						json_return_and_die($ret);
 					}
 				}
 				goaway($desturl);
 			}
 			// log them in
 			if ($test) {
-				$ret['success'] = true;
+				$ret['message'] .= 'auth check request returned .' . print_r($j, true) . EOL;
 				$ret['message'] .= 'Authentication Success!' . EOL;
 				json_return_and_die($ret);
 			}
-			$delegation_success = false;
+			if ($already_authed || $j['success']) {
-			if ($delegate) {
+				if ($j['success']) {
-				$r = q("select * from channel left join xchan on channel_hash = xchan_hash where xchan_addr = '%s' limit 1",
+					// legit response, but we do need to check that this wasn't answered by a man-in-middle
-					dbesc($delegate)
+					if (! rsa_verify($sec . $xx['xchan_hash'],base64url_decode($j['confirm']),$xx['xchan_pubkey'])) {
-				);
+						logger('mod_zot: auth: final confirmation failed.');
-				if ($r && intval($r[0]['channel_id'])) {
+						if ($test) {
-					$allowed = perm_is_allowed($r[0]['channel_id'],$x[0]['xchan_hash'],'delegate');
+							$ret['message'] .= 'final confirmation failed. ' . $sec . print_r($j,true) . print_r($xx,true);
-					if ($allowed) {
+							continue;
-						$_SESSION['delegate_channel'] = $r[0]['channel_id'];
+						}
-						$_SESSION['delegate'] = $x[0]['xchan_hash'];
+
-						$_SESSION['account_id'] = intval($r[0]['channel_account_id']);
+						continue;
-						require_once('include/security.php');
+					}
-						change_channel($r[0]['channel_id']);
+					if (array_key_exists('service_class',$j))
-						$delegation_success = true;
+						$remote_service_class = $j['service_class'];
 					if (array_key_exists('level',$j))
 						$remote_level = $j['level'];
 					if (array_key_exists('DNT',$j))
 						$DNT = $j['DNT'];
 				}
 				// everything is good... maybe
 				if(local_channel()) {
 					// tell them to logout if they're logged in locally as anything but the target remote account
 					// in which case just shut up because they don't need to be doing this at all.
 					if ($a->channel['channel_hash'] != $xx['xchan_hash']) {
 						logger('mod_zot: auth: already authenticated locally as somebody else.');
 						notice( t('Remote authentication blocked. You are logged into this site locally. Please logout and retry.') . EOL);
 						if ($test) {
 							$ret['message'] .= 'already logged in locally with a conflicting identity.' . EOL;
 							continue;
 						}
 					}
 					continue;
 				}
 				// log them in
 				if ($test) {
 					$ret['success'] = true;
 					$ret['message'] .= 'Authentication Success!' . EOL;
 					json_return_and_die($ret);
 				}
 				$delegation_success = false;
 				if ($delegate) {
 					$r = q("select * from channel left join xchan on channel_hash = xchan_hash where xchan_addr = '%s' limit 1",
 						dbesc($delegate)
 					);
 					if ($r && intval($r[0]['channel_id'])) {
 						$allowed = perm_is_allowed($r[0]['channel_id'],$xx['xchan_hash'],'delegate');
 						if ($allowed) {
 							$_SESSION['delegate_channel'] = $r[0]['channel_id'];
 							$_SESSION['delegate'] = $xx['xchan_hash'];
 							$_SESSION['account_id'] = intval($r[0]['channel_account_id']);
 							require_once('include/security.php');
 							change_channel($r[0]['channel_id']);
 							$delegation_success = true;
 						}
 					}
 				}
 				$_SESSION['authenticated'] = 1;
 				if (! $delegation_success) {
 					$_SESSION['visitor_id'] = $xx['xchan_hash'];
 					$_SESSION['my_url'] = $xx['xchan_url'];
 					$_SESSION['my_address'] = $address;
 					$_SESSION['remote_service_class'] = $remote_service_class;
 					$_SESSION['remote_level'] = $remote_level;
 					$_SESSION['remote_hub'] = $remote_hub;
 					$_SESSION['DNT'] = $DNT;
 				}
 				$arr = array('xchan' => $xx, 'url' => $desturl, 'session' => $_SESSION);
 				call_hooks('magic_auth_success',$arr);
 				$a->set_observer($xx);
 				require_once('include/security.php');
 				$a->set_groups(init_groups_visitor($_SESSION['visitor_id']));
 				info(sprintf( t('Welcome %s. Remote authentication successful.'),$xx['xchan_name']));
 				logger('mod_zot: auth success from ' . $xx['xchan_addr']); 
 			} 
 			else {
 				if ($test) {
 					$ret['message'] .= 'auth failure. ' . print_r($_REQUEST,true) . print_r($j,true) . EOL;
 					continue;
 				}
 				logger('mod_zot: magic-auth failure - not authenticated: ' . $xx['xchan_addr']);
 			}
-			$_SESSION['authenticated'] = 1;
+			if ($test) {
-			if (! $delegation_success) {
+				$ret['message'] .= 'auth failure fallthrough ' . print_r($_REQUEST,true) . print_r($j,true) . EOL;
-				$_SESSION['visitor_id'] = $x[0]['xchan_hash'];
+				continue;
 				$_SESSION['my_url'] = $x[0]['xchan_url'];
 				$_SESSION['my_address'] = $address;
 				$_SESSION['remote_service_class'] = $remote_service_class;
 				$_SESSION['remote_level'] = $remote_level;
 				$_SESSION['remote_hub'] = $remote_hub;
 				$_SESSION['DNT'] = $DNT;
 			}
 			$arr = array('xchan' => $x[0], 'url' => $desturl, 'session' => $_SESSION);
 			call_hooks('magic_auth_success',$arr);
 			$a->set_observer($x[0]);
 			require_once('include/security.php');
 			$a->set_groups(init_groups_visitor($_SESSION['visitor_id']));
 			info(sprintf( t('Welcome %s. Remote authentication successful.'),$x[0]['xchan_name']));
 			logger('mod_zot: auth success from ' . $x[0]['xchan_addr']); 
 		}
 		else {
 			if($test) {
 				$ret['message'] .= 'auth failure. ' . print_r($_REQUEST,true) . print_r($j,true) . EOL;
 				json_return_and_die($ret);
 			}
 			logger('mod_zot: magic-auth failure - not authenticated: ' . $x[0]['xchan_addr']);
 		}
 		/**
@ -299,14 +306,13 @@ function post_init(&$a) {
 		 * But z_root() probably isn't where you really want to go.
 		 */
 		if ($test) {
 			$ret['message'] .= 'auth failure fallthrough ' . print_r($_REQUEST,true) . print_r($j,true) . EOL;
 			json_return_and_die($ret);
 		}
 		if(strstr($desturl,z_root() . '/rmagic'))
 			goaway(z_root());
 		if ($test) {
 			json_return_and_die($ret);
 		}
 		goaway($desturl);
 	}
 }
--- a/version.inc
+++ b/version.inc
@ -1 +1 @@
-2015-09-20.1161
+2015-09-22.1163
--- a/view/tpl/conv_item.tpl
+++ b/view/tpl/conv_item.tpl
@ -123,6 +123,11 @@
 							{{if $item.item_photo_menu}}
 							<li role="presentation" class="divider"></li>
 							{{$item.item_photo_menu}}
 							{{if $item.edpost}}
 							<li role="presentation"><a role="menuitem" href="dreport/{{$item.mid}}">{{$item.dreport}}</a></li>
 							{{/if}}
 							{{/if}}
 						</ul>
 					</div>
--- a/view/tpl/locmanage.tpl
+++ b/view/tpl/locmanage.tpl
@ -19,7 +19,7 @@ function drophub(id) {
 {{if $hub.primary}}<button class="btn btn-std"><i class="icon-check"></i></button>{{else}}<button class="btn btn-std" onclick="primehub({{$hub.hubloc_id}}); return false;" ><i class="icon-check-empty"  ></i></button>{{/if}}
 </td>
-<td>{{if $hub.primary}}{{else}}{{if ! $hub.deleted}}<button class="btn btn-std" onclick="drophub({{$hub.hubloc_id}}); return false;"><i class="icon-trash"></i></button>{{/if}}{{/if}}</td>
+<td>{{if ! $hub.deleted}}<button class="btn btn-std" onclick="drophub({{$hub.hubloc_id}}); return false;"><i class="icon-trash"></i></button>{{/if}}</td>
 </tr>
 {{/foreach}}
 </table>