keith/friendica
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Append author's contact id to allowed contacts to prevent empty ACL for private posts

Browse source
This commit is contained in:
Hypolite Petovan 2020-12-21 00:26:48 -05:00
parent b0234f4ef9
commit 3f32d04c44
1 changed files with 9 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
mod/item.php
View file

@ -50,6 +50,7 @@ use Friendica\Model\Notify\Type;
use Friendica\Model\Photo; use Friendica\Model\Photo;
use Friendica\Model\Post; use Friendica\Model\Post;
use Friendica\Model\Tag; use Friendica\Model\Tag;
use Friendica\Model\User;
use Friendica\Network\HTTPException; use Friendica\Network\HTTPException;
use Friendica\Object\EMail\ItemCCEMail; use Friendica\Object\EMail\ItemCCEMail;
use Friendica\Protocol\Activity; use Friendica\Protocol\Activity;
@ -195,8 +196,7 @@ function item_post(App $a) {
$orig_post = Item::selectFirst(Item::ITEM_FIELDLIST, ['id' => $post_id]); $orig_post = Item::selectFirst(Item::ITEM_FIELDLIST, ['id' => $post_id]);
} }
$user = DBA::selectFirst('user', [], ['uid' => $profile_uid]); $user = User::getById($profile_uid, ['allow_cid', 'allow_gid', 'deny_cid', 'deny_gid']);
if (!DBA::isResult($user) && !$toplevel_item_id) { if (!DBA::isResult($user) && !$toplevel_item_id) {
return 0; return 0;
} }
@ -272,6 +272,11 @@ function item_post(App $a) {
$str_group_allow = isset($_REQUEST['group_allow']) ? $aclFormatter->toString($_REQUEST['group_allow']) : $user['allow_gid'] ?? ''; $str_group_allow = isset($_REQUEST['group_allow']) ? $aclFormatter->toString($_REQUEST['group_allow']) : $user['allow_gid'] ?? '';
$str_contact_deny = isset($_REQUEST['contact_deny']) ? $aclFormatter->toString($_REQUEST['contact_deny']) : $user['deny_cid'] ?? ''; $str_contact_deny = isset($_REQUEST['contact_deny']) ? $aclFormatter->toString($_REQUEST['contact_deny']) : $user['deny_cid'] ?? '';
$str_group_deny = isset($_REQUEST['group_deny']) ? $aclFormatter->toString($_REQUEST['group_deny']) : $user['deny_gid'] ?? ''; $str_group_deny = isset($_REQUEST['group_deny']) ? $aclFormatter->toString($_REQUEST['group_deny']) : $user['deny_gid'] ?? '';
// Since we know from the visibility parameter it should be private, we have to prevent the empty ACL case
// that would make the item public. So we always append the author's contact id to the allowed contacts.
// See https://github.com/friendica/friendica/issues/9672
$str_contact_allow .= $aclFormatter->toString(Contact::getPublicIdByUserId($uid));
} }
$title = trim($_REQUEST['title'] ?? ''); $title = trim($_REQUEST['title'] ?? '');
@ -750,7 +755,7 @@ function item_post(App $a) {
'type' => Type::COMMENT, 'type' => Type::COMMENT,
'otype' => Notify\ObjectType::ITEM, 'otype' => Notify\ObjectType::ITEM,
'verb' => Activity::POST, 'verb' => Activity::POST,
'uid' => $user['uid'], 'uid' => $profile_uid,
'cid' => $datarray['author-id'], 'cid' => $datarray['author-id'],
'item' => $datarray, 'item' => $datarray,
'link' => DI::baseUrl() . '/display/' . urlencode($datarray['guid']), 'link' => DI::baseUrl() . '/display/' . urlencode($datarray['guid']),
@ -760,7 +765,7 @@ function item_post(App $a) {
'type' => Type::WALL, 'type' => Type::WALL,
'otype' => Notify\ObjectType::ITEM, 'otype' => Notify\ObjectType::ITEM,
'verb' => Activity::POST, 'verb' => Activity::POST,
'uid' => $user['uid'], 'uid' => $profile_uid,
'cid' => $datarray['author-id'], 'cid' => $datarray['author-id'],
'item' => $datarray, 'item' => $datarray,
'link' => DI::baseUrl() . '/display/' . urlencode($datarray['guid']), 'link' => DI::baseUrl() . '/display/' . urlencode($datarray['guid']),