ssafronova (ssafronova) wrote in changelog,
ssafronova
ssafronova
changelog

[livejournal] r16112: LJSV-263: Non-member posting allows acce...

Committer: ssafronova
LJSV-263: Non-member posting allows access on editjournal.bml to community entries
1. Now poster can read its own entries even in communities
2. 'getevents' protocol mode do not return entries, which remote may not read
U   trunk/cgi-bin/LJ/Entry.pm
U   trunk/cgi-bin/LJ/User.pm
U   trunk/cgi-bin/ljlib.pl
U   trunk/cgi-bin/ljprotocol.pl
U   trunk/htdocs/editjournal.bml
Modified: trunk/cgi-bin/LJ/Entry.pm
===================================================================
--- trunk/cgi-bin/LJ/Entry.pm	2010-01-20 08:51:47 UTC (rev 16111)
+++ trunk/cgi-bin/LJ/Entry.pm	2010-01-20 10:30:56 UTC (rev 16112)
@@ -848,6 +848,7 @@
 }
 
 # instance method:  returns bool, if remote user can view this entry
+# is duplicate to LJ::can_view (LJ/User.pm), it is hard translate one to other because different entry attributes hashrefs
 sub visible_to
 {
     my ($self, $remote, $canview) = @_;
@@ -886,6 +887,9 @@
     # owners can always see their own.
     return 1 if $userid == $remoteid;
 
+    # author in community can always see their post
+    return 1 if $remoteid == $self->posterid;
+
     # other people can't read private
     return 0 if $self->{'security'} eq "private";
 

Modified: trunk/cgi-bin/LJ/User.pm
===================================================================
--- trunk/cgi-bin/LJ/User.pm	2010-01-20 08:51:47 UTC (rev 16111)
+++ trunk/cgi-bin/LJ/User.pm	2010-01-20 10:30:56 UTC (rev 16112)
@@ -5642,6 +5642,9 @@
     # owners can always see their own.
     return 1 if ($userid == $remoteid);
 
+    # author in community can always see their post
+    return 1 if $remoteid == $item->{'posterid'};
+
     # other people can't read private
     return 0 if ($item->{'security'} eq "private");
 

Modified: trunk/cgi-bin/ljlib.pl
===================================================================
--- trunk/cgi-bin/ljlib.pl	2010-01-20 08:51:47 UTC (rev 16111)
+++ trunk/cgi-bin/ljlib.pl	2010-01-20 10:30:56 UTC (rev 16112)
@@ -1049,10 +1049,10 @@
         # alternatively, if 'viewall' opt flag is set, security is off.
     } elsif ($mask) {
         # can see public or things with them in the mask
-        $secwhere = "AND (security='public' OR (security='usemask' AND allowmask & $mask != 0))";
+        $secwhere = "AND (security='public' OR (security='usemask' AND allowmask & $mask != 0) OR posterid = $remoteid)";
     } else {
         # not a friend?  only see public.
-        $secwhere = "AND security='public' ";
+        $secwhere = "AND (security='public' OR posterid=$remoteid)";
     }
 
     # because LJ::get_friend_items needs rlogtime for sorting.

Modified: trunk/cgi-bin/ljprotocol.pl
===================================================================
--- trunk/cgi-bin/ljprotocol.pl	2010-01-20 08:51:47 UTC (rev 16111)
+++ trunk/cgi-bin/ljprotocol.pl	2010-01-20 10:30:56 UTC (rev 16112)
@@ -2320,6 +2320,24 @@
         return fail($err,200,"Invalid selecttype.");
     }
 
+    my $secmask = 0;
+    if ($u && ($u->{'journaltype'} eq "P" || $u->{'journaltype'} eq "I") && $posterid != $ownerid) {
+        $secmask = LJ::get_groupmask($ownerid, $posterid);
+    }
+
+    # decide what level of security the remote user can see
+    # 'getevents' used in small count of places and we will not pass 'viewall' through their call chain
+    my $secwhere = "";
+    if ($posterid == $ownerid) {
+        # no extra where restrictions... user can see all their own stuff
+    } elsif ($secmask) {
+        # can see public or things with them in the mask
+        $secwhere = "AND (security='public' OR (security='usemask' AND allowmask & $secmask != 0) OR posterid=$posterid)";
+    } else {
+        # not a friend?  only see public.
+        $secwhere = "AND (security='public' OR posterid=$posterid)";
+    }
+
     # common SQL template:
     unless ($sql) {
         $sql = "SELECT jitemid, eventtime, security, allowmask, anum, posterid, replycount, UNIX_TIMESTAMP(eventtime) ".

Modified: trunk/htdocs/editjournal.bml
===================================================================
--- trunk/htdocs/editjournal.bml	2010-01-20 08:51:47 UTC (rev 16111)
+++ trunk/htdocs/editjournal.bml	2010-01-20 10:30:56 UTC (rev 16112)
@@ -157,6 +157,11 @@
             return "<?h1 $ML{'Error'} h1?><?p $ML{'/editjournal_do.bml.error.nofind'} p?>"
                 unless $res{'events_count'} && $res{'events_1_anum'} == $anum;
 
+            ####  Check security before viewing this post
+            my $errtxt;
+            my $item = LJ::Talk::get_journal_item($u_for_entry, $itemid);
+            return $errtxt unless LJ::Talk::check_viewable($remote, $item, undef, \$errtxt);
+
             # are we authorized to edit other peoples' posts in this community?
             my $disabled_save = 0;
             my $disabled_delete = 0;
@@ -172,6 +177,8 @@
                 $disabled_save++;
             }
 
+            $disabled_save++ if $u_for_entry->is_banned($remote);
+
             ###
             ### SAVE EDITS
             ###

Tags: bml, livejournal, pl, pm, ssafronova
Subscribe

  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 1 comment