expand permission check to remote array

This check was preventing multiple private images from different
users on the same server from loading on the same page.
It was only checking for permission for the single id returned by the
remote_user() function rather than the multiple possible autheniticated
id's stored in the remote arry session variable.
This commit is contained in:
Dean Townsley 2019-06-08 10:11:02 -05:00
parent 8c5923bb46
commit af85e498ce

View file

@ -120,9 +120,21 @@ class Security extends BaseObject
*/ */
if (!$remote_verified) { if (!$remote_verified) {
if (DBA::exists('contact', ['id' => $remote_user, 'uid' => $owner_id, 'blocked' => false])) { $cid = 0;
if (!empty($_SESSION['remote'])) {
foreach ($_SESSION['remote'] as $visitor) {
Logger::log("this remote array entry is".$visitor);
if ($visitor['uid'] == $owner_id) {
$cid = $visitor['cid'];
break;
}
}
}
if ($cid && DBA::exists('contact', ['id' => $cid, 'uid' => $owner_id, 'blocked' => false])) {
$remote_verified = true; $remote_verified = true;
$groups = Group::getIdsByContactId($remote_user); $groups = Group::getIdsByContactId($cid);
} }
} }
@ -140,9 +152,9 @@ class Security extends BaseObject
AND ( allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') ) AND ( allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
) )
", ",
intval($remote_user), intval($cid),
DBA::escape($gs), DBA::escape($gs),
intval($remote_user), intval($cid),
DBA::escape($gs) DBA::escape($gs)
); );
} }