From 1613f2a1c48db54e8841a286dd60013fd7859b48 Mon Sep 17 00:00:00 2001 From: Michael Date: Fri, 30 Mar 2018 06:20:00 +0000 Subject: [PATCH] Ensure that public contacts can't create toplevel posts --- mod/dfrn_notify.php | 1 - src/Protocol/DFRN.php | 26 +++++++++++++++----------- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/mod/dfrn_notify.php b/mod/dfrn_notify.php index a9dbcd263..a43c316b0 100644 --- a/mod/dfrn_notify.php +++ b/mod/dfrn_notify.php @@ -55,7 +55,6 @@ function dfrn_notify_post(App $a) { } // Set the user id. This is important if this is a public contact - $importer['uid'] = $user['uid']; $importer['importer_uid'] = $user['uid']; // Now we should be able to import it diff --git a/src/Protocol/DFRN.php b/src/Protocol/DFRN.php index 429c5051f..3d836acf9 100644 --- a/src/Protocol/DFRN.php +++ b/src/Protocol/DFRN.php @@ -1433,7 +1433,7 @@ class DFRN $contact_old = dba::fetch_first("SELECT `id`, `uid`, `url`, `network`, `avatar-date`, `avatar`, `name-date`, `uri-date`, `addr`, `name`, `nick`, `about`, `location`, `keywords`, `xmpp`, `bdyear`, `bd`, `hidden`, `contact-type` FROM `contact` WHERE `uid` = ? AND `nurl` = ? AND `network` != ?", - $importer["uid"], + $importer["importer_uid"], normalise_link($author["link"]), NETWORK_STATUSNET ); @@ -1443,7 +1443,7 @@ class DFRN $author["network"] = $contact_old["network"]; } else { if (!$onlyfetch) { - logger("Contact ".$author["link"]." wasn't found for user ".$importer["uid"]." XML: ".$xml, LOGGER_DEBUG); + logger("Contact ".$author["link"]." wasn't found for user ".$importer["importer_uid"]." XML: ".$xml, LOGGER_DEBUG); } $author["contact-id"] = $importer["id"]; @@ -1639,7 +1639,7 @@ class DFRN Contact::updateAvatar( $author['avatar'], - $importer['uid'], + $importer['importer_uid'], $contact['id'], (strtotime($contact['avatar-date']) > strtotime($contact_old['avatar-date']) || ($author['avatar'] != $contact_old['avatar'])) ); @@ -1657,7 +1657,7 @@ class DFRN $poco["contact-type"] = $contact["contact-type"]; $gcid = GContact::update($poco); - GContact::link($gcid, $importer["uid"], $contact["id"]); + GContact::link($gcid, $importer["importer_uid"], $contact["id"]); } return $author; @@ -2617,7 +2617,7 @@ class DFRN if ((x($ev, "desc") || x($ev, "summary")) && x($ev, "start")) { logger("Event in item ".$item["uri"]." was found.", LOGGER_DEBUG); $ev["cid"] = $importer["id"]; - $ev["uid"] = $importer["uid"]; + $ev["uid"] = $importer["importer_uid"]; $ev["uri"] = $item["uri"]; $ev["edited"] = $item["edited"]; $ev["private"] = $item["private"]; @@ -2626,7 +2626,7 @@ class DFRN $r = q( "SELECT `id` FROM `event` WHERE `uri` = '%s' AND `uid` = %d LIMIT 1", dbesc($item["uri"]), - intval($importer["uid"]) + intval($importer["importer_uid"]) ); if (DBM::is_result($r)) { $ev["id"] = $r[0]["id"]; @@ -2681,6 +2681,10 @@ class DFRN return true; } } else { // $entrytype == DFRN_TOP_LEVEL + if ($importer["uid"] == 0) { + logger("Contact ".$importer["id"]." isn't known to user ".$importer["importer_uid"].". The post will be ignored.", LOGGER_DEBUG); + return; + } if (!link_compare($item["owner-link"], $importer["url"])) { /* * The item owner info is not our contact. It's OK and is to be expected if this is a tgroup delivery, @@ -2736,10 +2740,10 @@ class DFRN return false; } - $condition = ["`uri` = ? AND `uid` = ? AND NOT `file` LIKE '%[%'", $uri, $importer["uid"]]; + $condition = ["`uri` = ? AND `uid` = ? AND NOT `file` LIKE '%[%'", $uri, $importer["importer_uid"]]; $item = dba::selectFirst('item', ['id', 'parent', 'contact-id'], $condition); if (!DBM::is_result($item)) { - logger("Item with uri " . $uri . " for user " . $importer["uid"] . " wasn't found.", LOGGER_DEBUG); + logger("Item with uri " . $uri . " for user " . $importer["importer_uid"] . " wasn't found.", LOGGER_DEBUG); return; } @@ -2808,7 +2812,7 @@ class DFRN $xpath->registerNamespace("statusnet", NAMESPACE_STATUSNET); $header = []; - $header["uid"] = $importer["uid"]; + $header["uid"] = $importer["importer_uid"]; $header["network"] = NETWORK_DFRN; $header["type"] = "remote"; $header["wall"] = 0; @@ -2827,7 +2831,7 @@ class DFRN self::fetchauthor($xpath, $doc->firstChild, $importer, "dfrn:owner", false, $xml); } - logger("Import DFRN message for user " . $importer["uid"] . " from contact " . $importer["id"], LOGGER_DEBUG); + logger("Import DFRN message for user " . $importer["importer_uid"] . " from contact " . $importer["id"], LOGGER_DEBUG); // The account type is new since 3.5.1 if ($xpath->query("/atom:feed/dfrn:account_type")->length > 0) { @@ -2895,7 +2899,7 @@ class DFRN self::processEntry($header, $xpath, $entry, $importer, $xml); } } - logger("Import done for user " . $importer["uid"] . " from contact " . $importer["id"], LOGGER_DEBUG); + logger("Import done for user " . $importer["importer_uid"] . " from contact " . $importer["id"], LOGGER_DEBUG); return 200; }