From 29bd37cda2625ed66a6f135c1603ea445dde2db9 Mon Sep 17 00:00:00 2001
From: Michael <heluecht@pirati.ca>
Date: Thu, 19 Mar 2020 21:55:31 +0000
Subject: [PATCH] Issue 8371: Ensure to always have permissions

---
 mod/item.php | 38 +++++++++-----------------------------
 1 file changed, 9 insertions(+), 29 deletions(-)

diff --git a/mod/item.php b/mod/item.php
index a9f1ef808b..3566e2150c 100644
--- a/mod/item.php
+++ b/mod/item.php
@@ -244,10 +244,10 @@ function item_post(App $a) {
 	$body = preg_replace('#\[url=([^\]]*?)\]\[/url\]#ism', '[url]$1[/url]', $body);
 
 	if (!empty($orig_post)) {
-		$str_group_allow   = $orig_post['allow_gid'];
-		$str_contact_allow = $orig_post['allow_cid'];
-		$str_group_deny    = $orig_post['deny_gid'];
-		$str_contact_deny  = $orig_post['deny_cid'];
+		$str_group_allow   = $orig_post['allow_gid'] ?? '';
+		$str_contact_allow = $orig_post['allow_cid'] ?? '';
+		$str_group_deny    = $orig_post['deny_gid']  ?? '';
+		$str_contact_deny  = $orig_post['deny_cid']  ?? '';
 		$location          = $orig_post['location'];
 		$coord             = $orig_post['coord'];
 		$verb              = $orig_post['verb'];
@@ -261,33 +261,13 @@ function item_post(App $a) {
 		$network           = $orig_post['network'];
 		$guid              = $orig_post['guid'];
 		$extid             = $orig_post['extid'];
-
 	} else {
+		$aclFormatter = DI::aclFormatter();
 
-		/*
-		 * if coming from the API and no privacy settings are set,
-		 * use the user default permissions - as they won't have
-		 * been supplied via a form.
-		 */
-		if ($api_source
-			&& !array_key_exists('contact_allow', $_REQUEST)
-			&& !array_key_exists('group_allow', $_REQUEST)
-			&& !array_key_exists('contact_deny', $_REQUEST)
-			&& !array_key_exists('group_deny', $_REQUEST)) {
-			$str_group_allow   = $user['allow_gid'];
-			$str_contact_allow = $user['allow_cid'];
-			$str_group_deny    = $user['deny_gid'];
-			$str_contact_deny  = $user['deny_cid'];
-		} else {
-			// use the posted permissions
-
-			$aclFormatter = DI::aclFormatter();
-
-			$str_group_allow   = $aclFormatter->toString($_REQUEST['group_allow'] ?? '');
-			$str_contact_allow = $aclFormatter->toString($_REQUEST['contact_allow'] ?? '');
-			$str_group_deny    = $aclFormatter->toString($_REQUEST['group_deny'] ?? '');
-			$str_contact_deny  = $aclFormatter->toString($_REQUEST['contact_deny'] ?? '');
-		}
+		$str_group_allow   = isset($_REQUEST['group_allow'])   ? $aclFormatter->toString($_REQUEST['group_allow'])    : $user['allow_gid'] ?? '';
+		$str_contact_allow = isset($_REQUEST['contact_allow']) ? $aclFormatter->toString($_REQUEST['contact__allow']) : $user['allow_cid'] ?? '';
+		$str_group_deny    = isset($_REQUEST['group_deny'])    ? $aclFormatter->toString($_REQUEST['group_deny'])     : $user['deny_gid']  ?? '';
+		$str_contact_deny  = isset($_REQUEST['contact_deny'])  ? $aclFormatter->toString($_REQUEST['contact_deny'])   : $user['deny_cid']  ?? '';
 
 		$title             = Strings::escapeTags(trim($_REQUEST['title']    ?? ''));
 		$location          = Strings::escapeTags(trim($_REQUEST['location'] ?? ''));