From b0234f4ef9c3dff8f0d85c74ac7ec29c99b69978 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Mon, 21 Dec 2020 00:25:21 -0500 Subject: [PATCH 1/4] Remove autocomplete from 2FA code input fields --- src/Module/Security/TwoFactor/Verify.php | 2 +- src/Module/Settings/TwoFactor/Verify.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Module/Security/TwoFactor/Verify.php b/src/Module/Security/TwoFactor/Verify.php index 2e327fd9e9..d7a44f0c56 100644 --- a/src/Module/Security/TwoFactor/Verify.php +++ b/src/Module/Security/TwoFactor/Verify.php @@ -82,7 +82,7 @@ class Verify extends BaseModule '$errors_label' => DI::l10n()->tt('Error', 'Errors', count(self::$errors)), '$errors' => self::$errors, '$recovery_message' => DI::l10n()->t('Don’t have your phone? Enter a two-factor recovery code', '2fa/recovery'), - '$verify_code' => ['verify_code', DI::l10n()->t('Please enter a code from your authentication app'), '', '', DI::l10n()->t('Required'), 'autofocus placeholder="000000"', 'tel'], + '$verify_code' => ['verify_code', DI::l10n()->t('Please enter a code from your authentication app'), '', '', DI::l10n()->t('Required'), 'autofocus autocomplete="off" placeholder="000000"', 'tel'], '$verify_label' => DI::l10n()->t('Verify code and complete login'), ]); } diff --git a/src/Module/Settings/TwoFactor/Verify.php b/src/Module/Settings/TwoFactor/Verify.php index f427fdfe42..423c341ecb 100644 --- a/src/Module/Settings/TwoFactor/Verify.php +++ b/src/Module/Settings/TwoFactor/Verify.php @@ -138,7 +138,7 @@ class Verify extends BaseSettings '$holder' => $holder, '$secret' => $secret, - '$verify_code' => ['verify_code', DI::l10n()->t('Please enter a code from your authentication app'), '', '', DI::l10n()->t('Required'), 'autofocus placeholder="000000"'], + '$verify_code' => ['verify_code', DI::l10n()->t('Please enter a code from your authentication app'), '', '', DI::l10n()->t('Required'), 'autofocus autocomplete="off" placeholder="000000"'], '$verify_label' => DI::l10n()->t('Verify code and enable two-factor authentication'), ]); } From 3f32d04c447d48c2f88223c30ed383e3f227b966 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Mon, 21 Dec 2020 00:26:48 -0500 Subject: [PATCH 2/4] Append author's contact id to allowed contacts to prevent empty ACL for private posts --- mod/item.php | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/mod/item.php b/mod/item.php index 6864dabacd..d1e1d06ce0 100644 --- a/mod/item.php +++ b/mod/item.php @@ -50,6 +50,7 @@ use Friendica\Model\Notify\Type; use Friendica\Model\Photo; use Friendica\Model\Post; use Friendica\Model\Tag; +use Friendica\Model\User; use Friendica\Network\HTTPException; use Friendica\Object\EMail\ItemCCEMail; use Friendica\Protocol\Activity; @@ -195,8 +196,7 @@ function item_post(App $a) { $orig_post = Item::selectFirst(Item::ITEM_FIELDLIST, ['id' => $post_id]); } - $user = DBA::selectFirst('user', [], ['uid' => $profile_uid]); - + $user = User::getById($profile_uid, ['allow_cid', 'allow_gid', 'deny_cid', 'deny_gid']); if (!DBA::isResult($user) && !$toplevel_item_id) { return 0; } @@ -272,6 +272,11 @@ function item_post(App $a) { $str_group_allow = isset($_REQUEST['group_allow']) ? $aclFormatter->toString($_REQUEST['group_allow']) : $user['allow_gid'] ?? ''; $str_contact_deny = isset($_REQUEST['contact_deny']) ? $aclFormatter->toString($_REQUEST['contact_deny']) : $user['deny_cid'] ?? ''; $str_group_deny = isset($_REQUEST['group_deny']) ? $aclFormatter->toString($_REQUEST['group_deny']) : $user['deny_gid'] ?? ''; + + // Since we know from the visibility parameter it should be private, we have to prevent the empty ACL case + // that would make the item public. So we always append the author's contact id to the allowed contacts. + // See https://github.com/friendica/friendica/issues/9672 + $str_contact_allow .= $aclFormatter->toString(Contact::getPublicIdByUserId($uid)); } $title = trim($_REQUEST['title'] ?? ''); @@ -750,7 +755,7 @@ function item_post(App $a) { 'type' => Type::COMMENT, 'otype' => Notify\ObjectType::ITEM, 'verb' => Activity::POST, - 'uid' => $user['uid'], + 'uid' => $profile_uid, 'cid' => $datarray['author-id'], 'item' => $datarray, 'link' => DI::baseUrl() . '/display/' . urlencode($datarray['guid']), @@ -760,7 +765,7 @@ function item_post(App $a) { 'type' => Type::WALL, 'otype' => Notify\ObjectType::ITEM, 'verb' => Activity::POST, - 'uid' => $user['uid'], + 'uid' => $profile_uid, 'cid' => $datarray['author-id'], 'item' => $datarray, 'link' => DI::baseUrl() . '/display/' . urlencode($datarray['guid']), From a7b8c4f8d5314f559222be56cddb590f7c21a2bf Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Mon, 21 Dec 2020 00:27:12 -0500 Subject: [PATCH 3/4] Append author's contact id to allowed contacts to prevent empty ACL for private events --- mod/events.php | 40 ++++++++++++++++++++++++---------------- 1 file changed, 24 insertions(+), 16 deletions(-) diff --git a/mod/events.php b/mod/events.php index 695432e2a4..9706980afe 100644 --- a/mod/events.php +++ b/mod/events.php @@ -163,31 +163,39 @@ function events_post(App $a) if ($share) { + $str_contact_allow = ''; + $str_group_allow = ''; + $str_contact_deny = ''; + $str_group_deny = ''; - $aclFormatter = DI::aclFormatter(); + if (($_REQUEST['visibility'] ?? '') !== 'public') { + $user = User::getById($uid, ['allow_cid', 'allow_gid', 'deny_cid', 'deny_gid']); + if (!DBA::isResult($user)) { + return; + } - $str_group_allow = $aclFormatter->toString($_POST['group_allow'] ?? ''); - $str_contact_allow = $aclFormatter->toString($_POST['contact_allow'] ?? ''); - $str_group_deny = $aclFormatter->toString($_POST['group_deny'] ?? ''); - $str_contact_deny = $aclFormatter->toString($_POST['contact_deny'] ?? ''); + $aclFormatter = DI::aclFormatter(); + $str_contact_allow = isset($_REQUEST['contact_allow']) ? $aclFormatter->toString($_REQUEST['contact_allow']) : $user['allow_cid'] ?? ''; + $str_group_allow = isset($_REQUEST['group_allow']) ? $aclFormatter->toString($_REQUEST['group_allow']) : $user['allow_gid'] ?? ''; + $str_contact_deny = isset($_REQUEST['contact_deny']) ? $aclFormatter->toString($_REQUEST['contact_deny']) : $user['deny_cid'] ?? ''; + $str_group_deny = isset($_REQUEST['group_deny']) ? $aclFormatter->toString($_REQUEST['group_deny']) : $user['deny_gid'] ?? ''; - // Undo the pseudo-contact of self, since there are real contacts now - if (strpos($str_contact_allow, '<' . $self . '>') !== false) { - $str_contact_allow = str_replace('<' . $self . '>', '', $str_contact_allow); - } - // Make sure to set the `private` field as true. This is necessary to - // have the posts show up correctly in Diaspora if an event is created - // as visible only to self at first, but then edited to display to others. - if (strlen($str_group_allow) || strlen($str_contact_allow) || strlen($str_group_deny) || strlen($str_contact_deny)) { - $private_event = true; + // Since we know from the visibility parameter it should be private, we have to prevent the empty ACL case + // that would make the item public. So we always append the author's contact id to the allowed contacts. + // See https://github.com/friendica/friendica/issues/9672 + $str_contact_allow .= $aclFormatter->toString(\Friendica\Model\Contact::getPublicIdByUserId($uid)); } } else { - // Note: do not set `private` field for self-only events. It will - // keep even you from seeing them! $str_contact_allow = '<' . $self . '>'; $str_group_allow = $str_contact_deny = $str_group_deny = ''; } + // Make sure to set the `private` field as true. This is necessary to + // have the posts show up correctly in Diaspora if an event is created + // as visible only to self at first, but then edited to display to others. + if (strlen($str_group_allow) || strlen($str_contact_allow) || strlen($str_group_deny) || strlen($str_contact_deny)) { + $private_event = true; + } $datarray = []; $datarray['start'] = $start; From 42d05bcc1b14c1018b01bd681023e2adbe630ea7 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Mon, 21 Dec 2020 00:27:16 -0500 Subject: [PATCH 4/4] Append author's contact id to allowed contacts to prevent empty ACL for private posts --- mod/photos.php | 43 +++++++++++++++++++------------------------ 1 file changed, 19 insertions(+), 24 deletions(-) diff --git a/mod/photos.php b/mod/photos.php index 1a16f68026..6e9a96ab2d 100644 --- a/mod/photos.php +++ b/mod/photos.php @@ -155,10 +155,6 @@ function photos_init(App $a) { function photos_post(App $a) { - Logger::log('mod-photos: photos_post: begin' , Logger::DEBUG); - Logger::log('mod_photos: REQUEST ' . print_r($_REQUEST, true), Logger::DATA); - Logger::log('mod_photos: FILES ' . print_r($_FILES, true), Logger::DATA); - $phototypes = Images::supportedTypes(); $can_post = false; @@ -184,10 +180,28 @@ function photos_post(App $a) if (!$owner_record) { notice(DI::l10n()->t('Contact information unavailable')); - Logger::log('photos_post: unable to locate contact record for page owner. uid=' . $page_owner_uid); + DI::logger()->info('photos_post: unable to locate contact record for page owner. uid=' . $page_owner_uid); exit(); } + $str_contact_allow = ''; + $str_group_allow = ''; + $str_contact_deny = ''; + $str_group_deny = ''; + + if (($_REQUEST['visibility'] ?? '') !== 'public') { + $aclFormatter = DI::aclFormatter(); + $str_contact_allow = isset($_REQUEST['contact_allow']) ? $aclFormatter->toString($_REQUEST['contact_allow']) : $owner_record['allow_cid'] ?? ''; + $str_group_allow = isset($_REQUEST['group_allow']) ? $aclFormatter->toString($_REQUEST['group_allow']) : $owner_record['allow_gid'] ?? ''; + $str_contact_deny = isset($_REQUEST['contact_deny']) ? $aclFormatter->toString($_REQUEST['contact_deny']) : $owner_record['deny_cid'] ?? ''; + $str_group_deny = isset($_REQUEST['group_deny']) ? $aclFormatter->toString($_REQUEST['group_deny']) : $owner_record['deny_gid'] ?? ''; + + // Since we know from the visibility parameter it should be private, we have to prevent the empty ACL case + // that would make the item public. So we always append the author's contact id to the allowed contacts. + // See https://github.com/friendica/friendica/issues/9672 + $str_contact_allow .= $aclFormatter->toString(\Friendica\Model\Contact::getPublicIdByUserId($page_owner_uid)); + } + if ($a->argc > 3 && $a->argv[2] === 'album') { if (!Strings::isHex($a->argv[3])) { DI::baseUrl()->redirect('photos/' . $a->data['user']['nickname'] . '/album'); @@ -313,13 +327,6 @@ function photos_post(App $a) $albname = !empty($_POST['albname']) ? trim($_POST['albname']) : ''; $origaname = !empty($_POST['origaname']) ? Strings::escapeTags(trim($_POST['origaname'])) : ''; - $aclFormatter = DI::aclFormatter(); - - $str_group_allow = !empty($_POST['group_allow']) ? $aclFormatter->toString($_POST['group_allow']) : ''; - $str_contact_allow = !empty($_POST['contact_allow']) ? $aclFormatter->toString($_POST['contact_allow']) : ''; - $str_group_deny = !empty($_POST['group_deny']) ? $aclFormatter->toString($_POST['group_deny']) : ''; - $str_contact_deny = !empty($_POST['contact_deny']) ? $aclFormatter->toString($_POST['contact_deny']) : ''; - $resource_id = $a->argv[3]; if (!strlen($albname)) { @@ -639,18 +646,6 @@ function photos_post(App $a) $visible = 0; } - $group_allow = $_REQUEST['group_allow'] ?? []; - $contact_allow = $_REQUEST['contact_allow'] ?? []; - $group_deny = $_REQUEST['group_deny'] ?? []; - $contact_deny = $_REQUEST['contact_deny'] ?? []; - - $aclFormatter = DI::aclFormatter(); - - $str_group_allow = $aclFormatter->toString(is_array($group_allow) ? $group_allow : explode(',', $group_allow)); - $str_contact_allow = $aclFormatter->toString(is_array($contact_allow) ? $contact_allow : explode(',', $contact_allow)); - $str_group_deny = $aclFormatter->toString(is_array($group_deny) ? $group_deny : explode(',', $group_deny)); - $str_contact_deny = $aclFormatter->toString(is_array($contact_deny) ? $contact_deny : explode(',', $contact_deny)); - $ret = ['src' => '', 'filename' => '', 'filesize' => 0, 'type' => '']; Hook::callAll('photo_post_file', $ret);