mark: A photo of Mark kneeling on top of the Taal Volcano in the Philippines. It was a long hike. (Default)
Mark Smith ([staff profile] mark) wrote in [site community profile] changelog2010-05-02 06:54 am

[dw-free] http://bugs.dwscoalition.org/show_bug.cgi?id=1801

[commit: http://hg.dwscoalition.org/dw-free/rev/04ba85a71e7c]

http://bugs.dwscoalition.org/show_bug.cgi?id=1801

Standardize the security SQL used to get entries for editing and viewing.

Patch by [personal profile] fu.

Files modified:
  • cgi-bin/ljprotocol.pl
--------------------------------------------------------------------------------
diff -r f887f0643b6c -r 04ba85a71e7c cgi-bin/ljprotocol.pl
--- a/cgi-bin/ljprotocol.pl	Sun May 02 06:47:33 2010 +0000
+++ b/cgi-bin/ljprotocol.pl	Sun May 02 06:54:19 2010 +0000
@@ -2215,10 +2215,34 @@ sub getevents
         return fail($err,200,"Invalid selecttype.");
     }
 
+    my $mask = 0;
+    if ( $u && ( $u->is_person || $u->is_identity ) && $posterid != $ownerid ) {
+        # if this is a community we're viewing, fake the mask to select on, as communities
+        # no longer have masks to users
+        if ( $uowner->is_community ) {
+            $mask = $u->member_of( $uowner ) ? 1 : 0;
+        } else {
+            $mask = $uowner->trustmask( $u );
+        }
+    }
+
+    # check security!
+    my $secwhere;
+    if ( $u && $u->can_manage( $uowner ) ) {
+        # journal owners and community admins can see everything
+        $secwhere = "";
+    } elsif ( $mask ) {
+        # can see public or things with them in the mask
+        $secwhere = "AND (security='public' OR (security='usemask' AND allowmask & $mask != 0))";
+    } else {
+        # not on access list or a member; only see public.
+        $secwhere = "AND security='public'";
+    }
+
     # common SQL template:
     unless ($sql) {
         $sql = "SELECT jitemid, eventtime, security, allowmask, anum, posterid ".
-            "FROM log2 WHERE journalid=$ownerid $where $orderby $limit";
+            "FROM log2 WHERE journalid=$ownerid $where $secwhere $orderby $limit";
     }
 
     # whatever selecttype might have wanted us to use the master db.
--------------------------------------------------------------------------------