Streams/streams
Streams/streams
1
0
Fork 0
mirror of https://codeberg.org/streams/streams.git synced 2024-09-20 05:35:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
streams/include/permissions.php
Alexandre Hannud Abdo b20887995a Implements a new permission level PERMS_PENDING 
With this a user can allow some action to any user which connects
to them, even before they've connected back.

Ref.
https://mobiliza.org.br/display/478d9e71eaf55748dc646d3990651d6d34cfb7db5c38360538ec730ca3ccf908@zothub.com

Also some code cleanup and an alternative logic for handling
notifications of permission changes in zot.php.

This assumes that private posts are still restricted to people in
your addressbook. Regardless of your global permissions, a
pending channel won't get private posts, even if the post
only has a deny clause not matching the pending channel.
2014-06-19 15:13:32 -03:00

398 lines
11 KiB
PHP
Raw Blame History

<?php /** @file */
function get_perms() {
// thinking about making element[2] a bitmask instead of boolean so that we can provide a list of applicable selections
// for any given permission. Currently we use the boolean to disallow write access to "everybody", but we also want to be
// able to handle troublesome settings such as allowing channel_w_stream to anybody in the network. You can allow it, but
// there's no way to implement sending it.
$global_perms = array(
// Read only permissions
'view_stream' => array('channel_r_stream', intval(PERMS_R_STREAM), true, t('Can view my "public" stream and posts'), ''),
'view_profile' => array('channel_r_profile', intval(PERMS_R_PROFILE), true, t('Can view my "public" channel profile'), ''),
'view_photos' => array('channel_r_photos', intval(PERMS_R_PHOTOS), true, t('Can view my "public" photo albums'), ''),
'view_contacts' => array('channel_r_abook', intval(PERMS_R_ABOOK), true, t('Can view my "public" address book'), ''),
'view_storage' => array('channel_r_storage', intval(PERMS_R_STORAGE), true, t('Can view my "public" file storage'), ''),
'view_pages' => array('channel_r_pages', intval(PERMS_R_PAGES), true, t('Can view my "public" pages'), ''),
// Write permissions
'send_stream' => array('channel_w_stream', intval(PERMS_W_STREAM), false, t('Can send me their channel stream and posts'), ''),
'post_wall' => array('channel_w_wall', intval(PERMS_W_WALL), false, t('Can post on my channel page ("wall")'), ''),
'post_comments' => array('channel_w_comment', intval(PERMS_W_COMMENT), false, t('Can comment on my posts'), ''),
'post_mail' => array('channel_w_mail', intval(PERMS_W_MAIL), false, t('Can send me private mail messages'), ''),
'post_photos' => array('channel_w_photos', intval(PERMS_W_PHOTOS), false, t('Can post photos to my photo albums'), ''),
'tag_deliver' => array('channel_w_tagwall', intval(PERMS_W_TAGWALL), false, t('Can forward to all my channel contacts via post @mentions'), t('Advanced - useful for creating group forum channels')),
'chat' => array('channel_w_chat', intval(PERMS_W_CHAT), false, t('Can chat with me (when available)'), t('')),
'write_storage' => array('channel_w_storage', intval(PERMS_W_STORAGE), false, t('Can write to my "public" file storage'), ''),
'write_pages' => array('channel_w_pages', intval(PERMS_W_PAGES), false, t('Can edit my "public" pages'), ''),
'republish' => array('channel_a_republish', intval(PERMS_A_REPUBLISH), false, t('Can source my "public" posts in derived channels'), t('Somewhat advanced - very useful in open communities')),
'delegate' => array('channel_a_delegate', intval(PERMS_A_DELEGATE), false, t('Can administer my channel resources'), t('Extremely advanced. Leave this alone unless you know what you are doing')),
);
$ret = array('global_permissions' => $global_perms);
call_hooks('global_permissions',$ret);
return $ret['global_permissions'];
}
/**
* get_all_perms($uid,$observer_xchan)
*
* @param $uid : The channel_id associated with the resource owner
* @param $observer_xchan: The xchan_hash representing the observer
*
* @returns: array of all permissions, key is permission name, value is true or false
*/
function get_all_perms($uid,$observer_xchan,$internal_use = true) {
$global_perms = get_perms();
// Save lots of individual lookups
$r = null;
$c = null;
$x = null;
$channel_checked = false;
$onsite_checked = false;
$abook_checked = false;
$ret = array();
foreach($global_perms as $perm_name => $permission) {
// First find out what the channel owner declared permissions to be.
$channel_perm = $permission[0];
if(! $channel_checked) {
$r = q("select * from channel where channel_id = %d limit 1",
intval($uid)
);
$channel_checked = true;
}
// The uid provided doesn't exist. This would be a big fail.
if(! $r) {
$ret[$perm_name] = false;
continue;
}
// Next we're going to check for blocked or ignored contacts.
// These take priority over all other settings.
if($observer_xchan) {
if($r[0][$channel_perm] & PERMS_AUTHED) {
$ret[$perm_name] = true;
continue;
}
if(! $abook_checked) {
$x = q("select abook_my_perms, abook_flags, xchan_network from abook left join xchan on abook_xchan = xchan_hash
where abook_channel = %d and abook_xchan = '%s' and not ( abook_flags & %d ) limit 1",
intval($uid),
dbesc($observer_xchan),
intval(ABOOK_FLAG_SELF)
);
if(! $x) {
// not in address book, see if they've got an xchan
$y = q("select xchan_network from xchan where xchan_hash = '%s' limit 1",
dbesc($observer_xchan)
);
}
$abook_checked = true;
}
// If they're blocked - they can't read or write
if(($x) && ($x[0]['abook_flags'] & ABOOK_FLAG_BLOCKED)) {
$ret[$perm_name] = false;
continue;
}
// Check if this is a write permission and they are being ignored
// This flag is only visible internally.
if(($x) && ($internal_use) && (! $global_perms[$perm_name][2]) && ($x[0]['abook_flags'] & ABOOK_FLAG_IGNORED)) {
$ret[$perm_name] = false;
continue;
}
}
// Check if this $uid is actually the $observer_xchan - if it's your content
// you always have permission to do anything
if(($observer_xchan) && ($r[0]['channel_hash'] === $observer_xchan)) {
$ret[$perm_name] = true;
continue;
}
// Anybody at all (that wasn't blocked or ignored). They have permission.
if($r[0][$channel_perm] & PERMS_PUBLIC) {
$ret[$perm_name] = true;
continue;
}
// From here on out, we need to know who they are. If we can't figure it
// out, permission is denied.
if(! $observer_xchan) {
$ret[$perm_name] = false;
continue;
}
// If we're still here, we have an observer, check the network.
if($r[0][$channel_perm] & PERMS_NETWORK) {
if(($x && $x[0]['xchan_network'] === 'zot') || ($y && $y[0]['xchan_network'] === 'zot')) {
$ret[$perm_name] = true;
continue;
}
}
// If PERMS_SITE is specified, find out if they've got an account on this hub
if($r[0][$channel_perm] & PERMS_SITE) {
if(! $onsite_checked) {
$c = q("select channel_hash from channel where channel_hash = '%s' limit 1",
dbesc($observer_xchan)
);
$onsite_checked = true;
}
if($c)
$ret[$perm_name] = true;
else
$ret[$perm_name] = false;
continue;
}
// From here on we require that the observer be a connection and
// handle whether we're allowing any, approved or specific ones
if(! $x) {
$ret[$perm_name] = false;
continue;
}
// They are in your address book, but haven't been approved
if($r[0][$channel_perm] & PERMS_PENDING) {
$ret[$perm_name] = true;
continue;
}
if($x[0]['abook_flags'] & ABOOK_FLAG_PENDING) {
$ret[$perm_name] = false;
continue;
}
// They're a contact, so they have permission
if($r[0][$channel_perm] & PERMS_CONTACTS) {
$ret[$perm_name] = true;
continue;
}
// Permission granted to certain channels. Let's see if the observer is one of them
if($r[0][$channel_perm] & PERMS_SPECIFIC) {
if(($x[0]['abook_my_perms'] & $global_perms[$perm_name][1])) {
$ret[$perm_name] = true;
continue;
}
}
// No permissions allowed.
$ret[$perm_name] = false;
continue;
}
$arr = array(
'channel_id' => $uid,
'observer_hash' => $observer_xchan,
'permissions' => $ret);
call_hooks('get_all_perms',$arr);
return $arr['permissions'];
}
function perm_is_allowed($uid,$observer_xchan,$permission) {
$arr = array(
'channel_id' => $uid,
'observer_hash' => $observer_xchan,
'permission' => $permission,
'result' => false);
call_hooks('perm_is_allowed',$arr);
if($arr['result'])
return true;
$global_perms = get_perms();
// First find out what the channel owner declared permissions to be.
$channel_perm = $global_perms[$permission][0];
$r = q("select %s, channel_hash from channel where channel_id = %d limit 1",
dbesc($channel_perm),
intval($uid)
);
if(! $r)
return false;
if($observer_xchan) {
if($r[0][$channel_perm] & PERMS_AUTHED)
return true;
$x = q("select abook_my_perms, abook_flags, xchan_network from abook left join xchan on abook_xchan = xchan_hash
where abook_channel = %d and abook_xchan = '%s' and not ( abook_flags & %d ) limit 1",
intval($uid),
dbesc($observer_xchan),
intval(ABOOK_FLAG_SELF)
);
// If they're blocked - they can't read or write
if(($x) && ($x[0]['abook_flags'] & ABOOK_FLAG_BLOCKED))
return false;
if(($x) && (! $global_perms[$permission][2]) && ($x[0]['abook_flags'] & ABOOK_FLAG_IGNORED))
return false;
if(! $x) {
// not in address book, see if they've got an xchan
$y = q("select xchan_network from xchan where xchan_hash = '%s' limit 1",
dbesc($observer_xchan)
);
}
}
// Check if this $uid is actually the $observer_xchan
if($r[0]['channel_hash'] === $observer_xchan)
return true;
if($r[0][$channel_perm] & PERMS_PUBLIC)
return true;
// If it's an unauthenticated observer, we only need to see if PERMS_PUBLIC is set
if(! $observer_xchan) {
return false;
}
// If we're still here, we have an observer, check the network.
if($r[0][$channel_perm] & PERMS_NETWORK) {
if (($x && $x[0]['xchan_network'] === 'zot') || ($y && $y[0]['xchan_network'] === 'zot'))
return true;
}
// If PERMS_SITE is specified, find out if they've got an account on this hub
if($r[0][$channel_perm] & PERMS_SITE) {
$c = q("select channel_hash from channel where channel_hash = '%s' limit 1",
dbesc($observer_xchan)
);
if($c)
return true;
return false;
}
// From here on we require that the observer be a connection and
// handle whether we're allowing any, approved or specific ones
if(! $x) {
return false;
}
// They are in your address book, but haven't been approved
if($r[0][$channel_perm] & PERMS_PENDING) {
return true;
}
if($x[0]['abook_flags'] & ABOOK_FLAG_PENDING) {
return false;
}
// They're a contact, so they have permission
if($r[0][$channel_perm] & PERMS_CONTACTS) {
return true;
}
// Permission granted to certain channels. Let's see if the observer is one of them
if(($r) && $r[0][$channel_perm] & PERMS_SPECIFIC) {
if($x[0]['abook_my_perms'] & $global_perms[$permission][1])
return true;
}
// No permissions allowed.
return false;
}
// Check a simple array of observers against a permissions
// return a simple array of those with permission
function check_list_permissions($uid,$arr,$perm) {
$result = array();
if($arr)
foreach($arr as $x)
if(perm_is_allowed($uid,$x,$perm))
$result[] = $x;
return($result);
}
function site_default_perms() {
$typical = array(
'view_stream' => PERMS_PUBLIC,
'view_profile' => PERMS_PUBLIC,
'view_photos' => PERMS_PUBLIC,
'view_contacts' => PERMS_PUBLIC,
'view_storage' => PERMS_PUBLIC,
'view_pages' => PERMS_PUBLIC,
'send_stream' => PERMS_SPECIFIC,
'post_wall' => PERMS_SPECIFIC,
'post_comments' => PERMS_SPECIFIC,
'post_mail' => PERMS_SPECIFIC,
'post_photos' => 0,
'tag_deliver' => PERMS_SPECIFIC,
'chat' => PERMS_SPECIFIC,
'write_storage' => 0,
'write_pages' => 0,
'delegate' => 0,
);
$global_perms = get_perms();
$ret = array();
foreach($global_perms as $perm => $v) {
$x = get_config('default_perms',$perm);
if($x === false)
$x = $typical[$perm];
$ret[$perm] = $x;
}
return $ret;
}
Reference in a new issue View git blame Copy permalink