Committer: ssafronova
LJSUP-8039: Deny non-members to view/edit/delet entries in business-sensetive communitiesU trunk/cgi-bin/LJ/Entry.pm U trunk/cgi-bin/LJ/User.pm U trunk/cgi-bin/ljprotocol.pl U trunk/htdocs/editjournal.bml
Modified: trunk/cgi-bin/LJ/Entry.pm =================================================================== --- trunk/cgi-bin/LJ/Entry.pm 2011-03-11 11:26:42 UTC (rev 18523) +++ trunk/cgi-bin/LJ/Entry.pm 2011-03-11 12:32:18 UTC (rev 18524) @@ -922,7 +922,7 @@ return 1 if $userid == $remoteid; # author in community can always see their post - return 1 if $remoteid == $self->posterid; + return 1 if $remoteid == $self->posterid and not $LJ::JOURNALS_WITH_PROTECTED_CONTENT{ $self->journal->{user} }; # other people can't read private return 0 if $self->{'security'} eq "private"; Modified: trunk/cgi-bin/LJ/User.pm =================================================================== --- trunk/cgi-bin/LJ/User.pm 2011-03-11 11:26:42 UTC (rev 18523) +++ trunk/cgi-bin/LJ/User.pm 2011-03-11 12:32:18 UTC (rev 18524) @@ -6200,13 +6200,15 @@ return 0 unless $remote; my $userid = int($item->{'ownerid'} || $item->{'journalid'}); + my $u = LJ::load_userid($userid); + my $journal_name = $u ? $u->user : ''; my $remoteid = int($remote->{'userid'}); # owners can always see their own. return 1 if ($userid == $remoteid); # author in community can always see their post - return 1 if $remoteid == $item->{'posterid'}; + return 1 if $remoteid == $item->{'posterid'} and not $LJ::JOURNALS_WITH_PROTECTED_CONTENT{ $journal_name };; # other people can't read private return 0 if ($item->{'security'} eq "private"); @@ -9821,9 +9823,17 @@ } sub can_delete_journal_item { - my ($remote, $u) = @_; + my ($remote, $u, $itemid) = @_; $remote = LJ::want_user($remote); - return $remote && $remote->can_manage($u); + + return 0 unless $remote; + + return 0 unless $remote->can_manage($u); + + return 0 if $LJ::JOURNALS_WITH_PROTECTED_CONTENT{ $u->{user} } and !LJ::is_friend($u, $remote); + + my $entry = LJ::Entry->new($u, jitemid => $itemid); + return $entry->posterid == $remote->userid; } Modified: trunk/cgi-bin/ljprotocol.pl =================================================================== --- trunk/cgi-bin/ljprotocol.pl 2011-03-11 11:26:42 UTC (rev 18523) +++ trunk/cgi-bin/ljprotocol.pl 2011-03-11 12:32:18 UTC (rev 18524) @@ -2227,7 +2227,7 @@ # make sure user can't change post in a certain community without being its member return fail($err,102) - if ($LJ::MEMBERSHIP_SENSITIVE_COMMUNITIES{ $uowner->{user} } && + if ($LJ::JOURNALS_WITH_PROTECTED_CONTENT{ $uowner->{user} } && !LJ::is_friend($uowner, $u)); @@ -2651,10 +2651,21 @@ # no extra where restrictions... user can see all their own stuff } elsif ($secmask) { # can see public or things with them in the mask - $secwhere = "AND (security='public' OR (security='usemask' AND allowmask & $secmask != 0) OR posterid=$posterid)"; + # and own posts in non-sensitive communities + if ($LJ::JOURNALS_WITH_PROTECTED_CONTENT{ $uowner->{user} }) { + $secwhere = "AND (security='public' OR (security='usemask' AND allowmask & $secmask != 0))"; + } else { + $secwhere = "AND (security='public' OR (security='usemask' AND allowmask & $secmask != 0) OR posterid=$posterid)"; + } } else { # not a friend? only see public. - $secwhere = "AND (security='public' OR posterid=$posterid)"; + # and own posts in non-sensitive communities + + if ($LJ::JOURNALS_WITH_PROTECTED_CONTENT{ $uowner->{user} }) { + $secwhere = "AND (security='public')"; + } else { + $secwhere = "AND (security='public' OR posterid=$posterid)"; + } } # if this is on, we sort things different (logtime vs. posttime) Modified: trunk/htdocs/editjournal.bml =================================================================== --- trunk/htdocs/editjournal.bml 2011-03-11 11:26:42 UTC (rev 18523) +++ trunk/htdocs/editjournal.bml 2011-03-11 12:32:18 UTC (rev 18524) @@ -167,7 +167,7 @@ my $disabled_delete = 0; my $disabled_spamdelete = 0; if ($usejournal && $res{'events_1_poster'} ne $u->{'user'}) { - $disabled_delete = ! LJ::can_delete_journal_item($u, $usejournal_u); + $disabled_delete = ! LJ::can_delete_journal_item($u, $usejournal_u, $itemid); $disabled_save++; } $disabled_spamdelete = $disabled_delete || !$usejournal || ($res{'events_1_poster'} eq $u->{'user'});