ssafronova (ssafronova) wrote in changelog,
ssafronova
ssafronova
changelog

[livejournal] r18524: LJSUP-8039: Deny non-members to view/edi...

Committer: ssafronova
LJSUP-8039: Deny non-members to view/edit/delet entries in business-sensetive communities
U   trunk/cgi-bin/LJ/Entry.pm
U   trunk/cgi-bin/LJ/User.pm
U   trunk/cgi-bin/ljprotocol.pl
U   trunk/htdocs/editjournal.bml
Modified: trunk/cgi-bin/LJ/Entry.pm
===================================================================
--- trunk/cgi-bin/LJ/Entry.pm	2011-03-11 11:26:42 UTC (rev 18523)
+++ trunk/cgi-bin/LJ/Entry.pm	2011-03-11 12:32:18 UTC (rev 18524)
@@ -922,7 +922,7 @@
     return 1 if $userid == $remoteid;
 
     # author in community can always see their post
-    return 1 if $remoteid == $self->posterid;
+    return 1 if $remoteid == $self->posterid and not $LJ::JOURNALS_WITH_PROTECTED_CONTENT{ $self->journal->{user} };
 
     # other people can't read private
     return 0 if $self->{'security'} eq "private";

Modified: trunk/cgi-bin/LJ/User.pm
===================================================================
--- trunk/cgi-bin/LJ/User.pm	2011-03-11 11:26:42 UTC (rev 18523)
+++ trunk/cgi-bin/LJ/User.pm	2011-03-11 12:32:18 UTC (rev 18524)
@@ -6200,13 +6200,15 @@
     return 0 unless $remote;
 
     my $userid = int($item->{'ownerid'} || $item->{'journalid'});
+    my $u = LJ::load_userid($userid);
+    my $journal_name = $u ? $u->user : '';
     my $remoteid = int($remote->{'userid'});
 
     # owners can always see their own.
     return 1 if ($userid == $remoteid);
 
     # author in community can always see their post
-    return 1 if $remoteid == $item->{'posterid'};
+    return 1 if $remoteid == $item->{'posterid'} and not $LJ::JOURNALS_WITH_PROTECTED_CONTENT{ $journal_name };;
 
     # other people can't read private
     return 0 if ($item->{'security'} eq "private");
@@ -9821,9 +9823,17 @@
 }
 
 sub can_delete_journal_item {
-    my ($remote, $u) = @_;
+    my ($remote, $u, $itemid) = @_;
     $remote = LJ::want_user($remote);
-    return $remote && $remote->can_manage($u);
+
+    return 0 unless $remote;
+
+    return 0 unless $remote->can_manage($u);
+
+    return 0 if $LJ::JOURNALS_WITH_PROTECTED_CONTENT{ $u->{user} } and !LJ::is_friend($u, $remote);
+
+    my $entry = LJ::Entry->new($u, jitemid => $itemid);
+    return $entry->posterid == $remote->userid;
 }
 
 

Modified: trunk/cgi-bin/ljprotocol.pl
===================================================================
--- trunk/cgi-bin/ljprotocol.pl	2011-03-11 11:26:42 UTC (rev 18523)
+++ trunk/cgi-bin/ljprotocol.pl	2011-03-11 12:32:18 UTC (rev 18524)
@@ -2227,7 +2227,7 @@
 
     # make sure user can't change post in a certain community without being its member 
     return fail($err,102)
-        if ($LJ::MEMBERSHIP_SENSITIVE_COMMUNITIES{ $uowner->{user} } &&
+        if ($LJ::JOURNALS_WITH_PROTECTED_CONTENT{ $uowner->{user} } &&
             !LJ::is_friend($uowner, $u));
         
 
@@ -2651,10 +2651,21 @@
         # no extra where restrictions... user can see all their own stuff
     } elsif ($secmask) {
         # can see public or things with them in the mask
-        $secwhere = "AND (security='public' OR (security='usemask' AND allowmask & $secmask != 0) OR posterid=$posterid)";
+        # and own posts in non-sensitive communities
+        if ($LJ::JOURNALS_WITH_PROTECTED_CONTENT{ $uowner->{user} }) {
+            $secwhere = "AND (security='public' OR (security='usemask' AND allowmask & $secmask != 0))";
+        } else {
+            $secwhere = "AND (security='public' OR (security='usemask' AND allowmask & $secmask != 0) OR posterid=$posterid)";
+        }
     } else {
         # not a friend?  only see public.
-        $secwhere = "AND (security='public' OR posterid=$posterid)";
+        # and own posts in non-sensitive communities
+
+        if ($LJ::JOURNALS_WITH_PROTECTED_CONTENT{ $uowner->{user} }) {
+            $secwhere = "AND (security='public')";
+        } else {
+            $secwhere = "AND (security='public' OR posterid=$posterid)";
+        }
     }
 
     # if this is on, we sort things different (logtime vs. posttime)

Modified: trunk/htdocs/editjournal.bml
===================================================================
--- trunk/htdocs/editjournal.bml	2011-03-11 11:26:42 UTC (rev 18523)
+++ trunk/htdocs/editjournal.bml	2011-03-11 12:32:18 UTC (rev 18524)
@@ -167,7 +167,7 @@
             my $disabled_delete = 0;
             my $disabled_spamdelete = 0;
             if ($usejournal && $res{'events_1_poster'} ne $u->{'user'}) {
-                $disabled_delete = ! LJ::can_delete_journal_item($u, $usejournal_u);
+                $disabled_delete = ! LJ::can_delete_journal_item($u, $usejournal_u, $itemid);
                 $disabled_save++;
             }
             $disabled_spamdelete = $disabled_delete || !$usejournal || ($res{'events_1_poster'} eq $u->{'user'});

Tags: bml, livejournal, pl, pm, ssafronova
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 0 comments