Committer: aurbanowich
LJSUP-7825 Read any journals (XML-RPC)U trunk/cgi-bin/ljprotocol.pl
Modified: trunk/cgi-bin/ljprotocol.pl =================================================================== --- trunk/cgi-bin/ljprotocol.pl 2011-02-03 06:34:29 UTC (rev 18193) +++ trunk/cgi-bin/ljprotocol.pl 2011-02-03 08:03:56 UTC (rev 18194) @@ -2618,8 +2618,8 @@ ### shared-journal support my $posterid = $u->{'userid'}; - my $ownerid = $flags->{'ownerid'}; - + my $ownerid = $req->{journalid} || $flags->{'ownerid'}; + my $dbr = LJ::get_db_reader(); my $sth; @@ -2635,6 +2635,24 @@ if ($errmsg) { return fail($err, "311", $errmsg); } } + my $secmask = 0; + if ($u && ($u->{'journaltype'} eq "P" || $u->{'journaltype'} eq "I") && $posterid != $ownerid) { + $secmask = LJ::get_groupmask($ownerid, $posterid); + } + + # decide what level of security the remote user can see + # 'getevents' used in small count of places and we will not pass 'viewall' through their call chain + my $secwhere = ""; + if ($posterid == $ownerid) { + # no extra where restrictions... user can see all their own stuff + } elsif ($secmask) { + # can see public or things with them in the mask + $secwhere = "AND (security='public' OR (security='usemask' AND allowmask & $secmask != 0) OR posterid=$posterid)"; + } else { + # not a friend? only see public. + $secwhere = "AND (security='public' OR posterid=$posterid)"; + } + # if this is on, we sort things different (logtime vs. posttime) # to avoid timezone issues my $is_community = ($uowner->{'journaltype'} eq "C" || @@ -2745,7 +2763,7 @@ my %item; $sth = $dbcr->prepare("SELECT jitemid, logtime FROM log2 WHERE ". - "journalid=? and logtime > ?"); + "journalid=? and logtime > ? $secwhere"); $sth->execute($ownerid, $date); while (my ($id, $dt) = $sth->fetchrow_array) { $item{$id} = $dt; @@ -2788,7 +2806,7 @@ my %item; $sth = $dbcr->prepare("SELECT jitemid, logtime FROM log2 WHERE ". - "journalid=? and logtime < ? LIMIT $itemselect"); + "journalid=? AND logtime < ? $secwhere LIMIT $itemselect"); $sth->execute($ownerid, $before); while (my ($id, $dt) = $sth->fetchrow_array) { $item{$id} = $dt; @@ -2822,24 +2840,6 @@ return fail($err,200,"Invalid selecttype."); } - my $secmask = 0; - if ($u && ($u->{'journaltype'} eq "P" || $u->{'journaltype'} eq "I") && $posterid != $ownerid) { - $secmask = LJ::get_groupmask($ownerid, $posterid); - } - - # decide what level of security the remote user can see - # 'getevents' used in small count of places and we will not pass 'viewall' through their call chain - my $secwhere = ""; - if ($posterid == $ownerid) { - # no extra where restrictions... user can see all their own stuff - } elsif ($secmask) { - # can see public or things with them in the mask - $secwhere = "AND (security='public' OR (security='usemask' AND allowmask & $secmask != 0) OR posterid=$posterid)"; - } else { - # not a friend? only see public. - $secwhere = "AND (security='public' OR posterid=$posterid)"; - } - # common SQL template: unless ($sql) { $sql = "SELECT jitemid, eventtime, security, allowmask, anum, posterid, replycount, UNIX_TIMESTAMP(eventtime) ".