Merge remote-tracking branch 'mike/master' into dev

2024-09-20 06:15:11 +00:00 · 2018-05-01 10:19:03 +02:00 · 2018-05-01 10:19:03 +02:00 · eb2d6fca3a
commit eb2d6fca3a
parent d872a0ca86 32423a7706
2 changed files with 48 additions and 63 deletions
--- a/Zotlabs/Module/Photo.php
+++ b/Zotlabs/Module/Photo.php
@ -127,69 +127,45 @@ class Photo extends \Zotlabs\Web\Controller {
 				  }
 			}
 			
-			$r = q("SELECT uid FROM photo WHERE resource_id = '%s' AND imgscale = %d LIMIT 1",
+			$r = q("SELECT uid, photo_usage FROM photo WHERE resource_id = '%s' AND imgscale = %d LIMIT 1",
 				dbesc($photo),
 				intval($resolution)
 			);
 			if($r) {

-				$allowed = (($r[0]['uid']) ? perm_is_allowed($r[0]['uid'],$observer_xchan,'view_storage') : true);
+				$allowed = (-1);

-				$sql_extra = permissions_sql($r[0]['uid']);
-
-				if(! $sql_extra)
-					$sql_extra = ' and true ';
-
-				// Only check permissions on normal photos. Those photos we don't check includes
-				// profile photos, xchan photos (which are also profile photos), 'thing' photos,
-				// and cover photos
-	
-				$sql_extra = " and (( photo_usage = 0 $sql_extra ) or photo_usage != 0 )";
+				if(intval($r[0]['photo_usage'])) {
+					$allowed = 1;
+					if(intval($r[0]['photo_usage']) === PHOTO_COVER) 
+						if($resolution < PHOTO_RES_COVER_1200)
+							$allowed = (-1);
+					if(intval($r[0]['photo_usage']) === PHOTO_PROFILE)
+						if(! in_array($resolution,[4,5,6]))
+							$allowed = (-1);
+				}
+				if($allowed === (-1))
+					$allowed = attach_can_view($r[0]['uid'],$observer_xchan,$photo);
 				
 				$channel = channelx_by_n($r[0]['uid']);

 				// Now we'll see if we can access the photo
-				$r = q("SELECT * FROM photo WHERE resource_id = '%s' AND imgscale = %d $sql_extra LIMIT 1",
+				$e = q("SELECT * FROM photo WHERE resource_id = '%s' AND imgscale = %d $sql_extra LIMIT 1",
 					dbesc($photo),
 					intval($resolution)
 				);

-				// viewing cover photos is allowed unless a plugin chooses to block it. 
+				$exists = (($e) ? true : false);

-				if($r && intval($r[0]['photo_usage']) === PHOTO_COVER && $resolution >= PHOTO_RES_COVER_1200)
-					$allowed = 1;
- 
-				$d = [ 'imgscale' => $resolution, 'resource_id' => $photo, 'photo' => $r, 'allowed' => $allowed ];
-				call_hooks('get_photo',$d);
-
-				$resolution = $d['imgscale'];
-				$photo      = $d['resource_id'];
-				$r          = $d['photo'];
-				$allowed    = $d['allowed'];
-
-				if($r && $allowed) {
-					$data = dbunescbin($r[0]['content']);
-					$mimetype = $r[0]['mimetype'];
-					if(intval($r[0]['os_storage'])) {
+				if($exists && $allowed) {
+					$data = dbunescbin($e[0]['content']);
+					$mimetype = $e[0]['mimetype'];
+					if(intval($e[0]['os_storage'])) {
 						$streaming = $data;
 					}
 				}
 				else {
-	
-					// Does the picture exist? It may be a remote person with no credentials,
-					// but who should otherwise be able to view it. Show a default image to let 
-					// them know permissions was denied. It may be possible to view the image 
-					// through an authenticated profile visit.
-					// There won't be many completely unauthorised people seeing this because
-					// they won't have the photo link, so there's a reasonable chance that the person
-					// might be able to obtain permission to view it.
-	
-					$r = q("SELECT * FROM photo WHERE resource_id = '%s' AND imgscale = %d LIMIT 1",
-						dbesc($photo),
-						intval($resolution)
-					);
-	 
-					if($r) {
+					if(! $allowed) {
 						logger('mod_photo: forbidden. ' . \App::$query_string);
 						$observer = \App::get_observer();
 						logger('mod_photo: observer = ' . (($observer) ? $observer['xchan_addr'] : '(not authenticated)'));
@ -201,9 +177,6 @@ class Photo extends \Zotlabs\Web\Controller {
 			}
 		}
 	
-
-
-
 		if(! isset($data)) {
 			if(isset($resolution)) {
 				switch($resolution) {
@ -295,7 +268,6 @@ class Photo extends \Zotlabs\Web\Controller {
 		}

 		killme();
-		// NOTREACHED
 	}
 	
 }
--- a/include/attach.php
+++ b/include/attach.php
@ -266,14 +266,12 @@ function attach_by_hash($hash, $observer_hash, $rev = 0) {
 		return $ret;
 	}

-	if(! perm_is_allowed($r[0]['uid'], $observer_hash, 'view_storage')) {
+	if(! attach_can_view($r[0]['uid'], $observer_hash, $hash)) {
 		$ret['message'] = t('Permission denied.');
 		return $ret;
 	}

-	$sql_extra = permissions_sql($r[0]['uid'],$observer_hash);
-
-	// Now we'll see if we can access the attachment
+	// We've already checked for existence and permissions

 	$r = q("SELECT * FROM attach WHERE hash = '%s' and uid = %d $sql_extra LIMIT 1",
 		dbesc($hash),
@ -281,20 +279,12 @@ function attach_by_hash($hash, $observer_hash, $rev = 0) {
 	);

 	if(! $r) {
-		$ret['message'] = t('Permission denied.');
+		$ret['message'] = t('Unknown error.');
 		return $ret;
 	}

 	$r[0]['content'] = dbunescbin($r[0]['content']);

-	if($r[0]['folder']) {
-		$x = attach_can_view_folder($r[0]['uid'],$observer_hash,$r[0]['folder']);
-		if(! $x) {
-			$ret['message'] = t('Permission denied.');
-			return $ret;
-		}
-	}
-
 	$ret['success'] = true;
 	$ret['data'] = $r[0];

@ -302,6 +292,29 @@ function attach_by_hash($hash, $observer_hash, $rev = 0) {
 }


+function attach_can_view($uid,$ob_hash,$resource) {
+
+	$sql_extra = permissions_sql($uid,$ob_hash);
+	$hash = $resource;
+
+	if(! perm_is_allowed($uid,$ob_hash,'view_storage')) {
+		return false;
+	}
+
+	$r = q("select folder from attach where hash = '%s' and uid = %d $sql_extra",
+		dbesc($hash),
+		intval($uid)
+	);
+	if(! $r) {
+		return false;
+	}
+
+	return attach_can_view_folder($uid,$ob_hash,$r[0]['folder']);
+
+}
+
+
+
 function attach_can_view_folder($uid,$ob_hash,$folder_hash) {

 	$sql_extra = permissions_sql($uid,$ob_hash);