sunnyman's (sunnyman) wrote in changelog,
sunnyman's
sunnyman
changelog

[livejournal] r19242: OPSC-8950: getevents & getcomments work ...

Committer: vtroitsky
OPSC-8950: getevents & getcomments work without authorization for public posts.

U   trunk/cgi-bin/ljprotocol.pl
Modified: trunk/cgi-bin/ljprotocol.pl
===================================================================
--- trunk/cgi-bin/ljprotocol.pl	2011-06-07 03:08:53 UTC (rev 19241)
+++ trunk/cgi-bin/ljprotocol.pl	2011-06-07 04:52:03 UTC (rev 19242)
@@ -336,6 +336,9 @@
 
 sub getcomments {
     my ($req, $err, $flags) = @_;
+    
+    $flags->{allow_anonymous} = 1;
+
     return undef unless authenticate($req, $err, $flags);
     my $u = $flags->{'u'};
 
@@ -349,6 +352,8 @@
         $journal = $u;
     }
 
+    return fail($err,200,"journal") unless($journal);
+
     return fail($err,200,"ditemid") unless($req->{ditemid});
     my $itemid = int($req->{ditemid} / 256); 
 
@@ -357,7 +362,7 @@
     return fail($err,203,"ditemid (specified post doesn't exist in requested journal)") unless($jitem);
     my $up = LJ::load_userid( $jitem->{'posterid'} );
 
-    # check permission to access post
+    # check permission to access root post
     return fail($err,300,"") unless( LJ::can_view($u, $jitem));
 
     my $talkid = int(($req->{dtalkid} + 0)/256);   # talkid to load thread
@@ -459,7 +464,7 @@
                      qw(edit_time deleted_poster picture_keyword opt_preformatted) };
             
             $item_data->{props}->{'poster_ip'} = $item->{'props'}->{'poster_ip'}
-                if $item->{'props'}->{'poster_ip'} && ( $u->{'user'} eq $up->{'user'} || $u->can_manage($journal) );
+                if $item->{'props'}->{'poster_ip'} && $u && ( $u->{'user'} eq $up->{'user'} || $u->can_manage($journal) );
             
             $item_data->{privileges} = {};
             $item_data->{privileges}->{delete}   = LJ::Talk::can_delete($u, $journal, $up, $item->{userpost});
@@ -2665,6 +2670,8 @@
 sub getevents
 {
     my ($req, $err, $flags) = @_;
+
+    $flags->{allow_anonymous} = 1;
     return undef unless authenticate($req, $err, $flags);
 
     $flags->{'ignorecanuse'} = 1; # later we will check security levels, so allow some access to communities
@@ -2674,7 +2681,7 @@
     my $uowner = $flags->{'u_owner'} || $u;
 
     ### shared-journal support
-    my $posterid = $u->{'userid'};
+    my $posterid = ($u ? $u->{'userid'} : 0);
     my $ownerid = $flags->{'ownerid'};
     if( $req->{journalid} ){
         $ownerid = $req->{journalid};
@@ -2718,9 +2725,9 @@
         # not a friend?  only see public.
         # and own posts in non-sensitive communities
 
-        if ($LJ::JOURNALS_WITH_PROTECTED_CONTENT{ $uowner->{user} }) {
+        if ($LJ::JOURNALS_WITH_PROTECTED_CONTENT{ $uowner->{user} } || !$posterid) {
             $secwhere = "AND (security='public')";
-        } else {
+        } else{
             $secwhere = "AND (security='public' OR posterid=$posterid)";
         }
     }
@@ -2811,6 +2818,7 @@
         my $date = $req->{'lastsync'} || "0000-00-00 00:00:00";
         return fail($err,203,"Invalid syncitems date format")
             unless ($date =~ /^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d/);
+        return fail($err,301,"syncitems is unavailable in anonymous mode") unless($u);
 
         my $now = time();
         # broken client loop prevention
@@ -3889,7 +3897,17 @@
     # see note in ljlib.pl::can_use_journal about why we return
     # both 'ownerid' and 'u_owner' in $flags
 
-    my $alt = $req->{'usejournal'};
+    my $alt = $req->{'usejournal'} || $req->{journal};
+
+    if ($flags->{allow_anonymous}) {
+        return fail($err,200) unless $alt;
+        return fail($err,100) unless LJ::canonical_username($alt);
+        $flags->{'u_owner'} = LJ::load_user($alt);
+        $flags->{'ownerid'} = $flags->{'u_owner'}->{'userid'};
+        return 1 if $flags->{'ownerid'};
+        return fail($err,206);
+    }
+
     my $u = $flags->{'u'};
     unless ($u) {
         my $username = $req->{'username'};
@@ -3936,6 +3954,14 @@
     my ($req, $err, $flags) = @_;
 
     my $username = $req->{'username'};
+
+    # add flag to avoid authentication
+    if (!$username && $flags->{'allow_anonymous'}) {
+        undef $flags->{'u'};
+        # TODO: check for banned IP
+        return 1;
+    }
+
     return fail($err,200) unless $username;
     return fail($err,100) unless LJ::canonical_username($username);
 

Tags: livejournal, pl, sunnyman
Subscribe

  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 0 comments