diff --git a/boot.php b/boot.php index b0a6311703..d5feaed2d1 100755 --- a/boot.php +++ b/boot.php @@ -9,7 +9,7 @@ require_once('include/nav.php'); require_once('include/cache.php'); define ( 'FRIENDICA_PLATFORM', 'Friendica'); -define ( 'FRIENDICA_VERSION', '2.3.1283' ); +define ( 'FRIENDICA_VERSION', '2.3.1285' ); define ( 'DFRN_PROTOCOL_VERSION', '2.23' ); define ( 'DB_UPDATE_VERSION', 1132 ); diff --git a/include/conversation.php b/include/conversation.php index 8ca484c9e7..e9f024c274 100755 --- a/include/conversation.php +++ b/include/conversation.php @@ -649,7 +649,7 @@ function conversation(&$a, $items, $mode, $update, $preview = false) { // template to use to render item (wall, walltowall, search) 'template' => $template, - 'type' => implode("",array_slice(split("/",$item['verb']),-1)), + 'type' => implode("",array_slice(explode("/",$item['verb']),-1)), 'tags' => $tags, 'body' => template_escape($body), 'text' => strip_tags(template_escape($body)), diff --git a/include/dba.php b/include/dba.php index 7455b6b3ee..5beea7a3ac 100755 --- a/include/dba.php +++ b/include/dba.php @@ -1,5 +1,7 @@ debug) - logger('dba: ' . printable(print_r($r, true)), LOGGER_DATA); + logger('dba: ' . printable(print_r($r, true))); return($r); } diff --git a/include/delivery.php b/include/delivery.php index 44a482ca28..532dcd6991 100755 --- a/include/delivery.php +++ b/include/delivery.php @@ -256,7 +256,8 @@ function delivery_run($argv, $argc){ '$picdate' => xmlify(datetime_convert('UTC','UTC',$owner['avatar-date'] . '+00:00' , ATOM_TIME)) , '$uridate' => xmlify(datetime_convert('UTC','UTC',$owner['uri-date'] . '+00:00' , ATOM_TIME)) , '$namdate' => xmlify(datetime_convert('UTC','UTC',$owner['name-date'] . '+00:00' , ATOM_TIME)) , - '$birthday' => $birthday + '$birthday' => $birthday, + '$community' => (($owner['page-flags'] == PAGE_COMMUNITY) ? '1' : '') )); foreach($items as $item) { diff --git a/include/email.php b/include/email.php index a3449a4249..8ea8145fb6 100755 --- a/include/email.php +++ b/include/email.php @@ -56,7 +56,7 @@ function email_msg_headers($mbox,$uid) { $raw_header = (($mbox && $uid) ? @imap_fetchheader($mbox,$uid,FT_UID) : ''); $raw_header = str_replace("\r",'',$raw_header); $ret = array(); - $h = split("\n",$raw_header); + $h = explode("\n",$raw_header); if(count($h)) foreach($h as $line ) { if (preg_match("/^[a-zA-Z]/", $line)) { diff --git a/include/items.php b/include/items.php index 5e1fec5578..5a297c83ef 100755 --- a/include/items.php +++ b/include/items.php @@ -28,7 +28,7 @@ function get_feed_for(&$a, $dfrn_id, $owner_nick, $last_update, $direction = 0) $sql_extra = " AND `allow_cid` = '' AND `allow_gid` = '' AND `deny_cid` = '' AND `deny_gid` = '' "; - $r = q("SELECT `contact`.*, `user`.`uid` AS `user_uid`, `user`.`nickname`, `user`.`timezone` + $r = q("SELECT `contact`.*, `user`.`uid` AS `user_uid`, `user`.`nickname`, `user`.`timezone`, `user`.`page-flags` FROM `contact` LEFT JOIN `user` ON `user`.`uid` = `contact`.`uid` WHERE `contact`.`self` = 1 AND `user`.`nickname` = '%s' LIMIT 1", dbesc($owner_nick) @@ -156,7 +156,8 @@ function get_feed_for(&$a, $dfrn_id, $owner_nick, $last_update, $direction = 0) '$picdate' => xmlify(datetime_convert('UTC','UTC',$owner['avatar-date'] . '+00:00' , ATOM_TIME)) , '$uridate' => xmlify(datetime_convert('UTC','UTC',$owner['uri-date'] . '+00:00' , ATOM_TIME)) , '$namdate' => xmlify(datetime_convert('UTC','UTC',$owner['name-date'] . '+00:00' , ATOM_TIME)) , - '$birthday' => ((strlen($birthday)) ? '' . xmlify($birthday) . '' : '') + '$birthday' => ((strlen($birthday)) ? '' . xmlify($birthday) . '' : ''), + '$community' => (($owner['page-flags'] == PAGE_COMMUNITY) ? '1' : '') )); call_hooks('atom_feed', $atom); @@ -1404,6 +1405,19 @@ function consume_feed($xml,$importer,&$contact, &$hub, $datedir = 0, $pass = 0) } + $community_page = 0; + $rawtags = $feed->get_feed_tags( NAMESPACE_DFRN, 'community'); + if($rawtags) { + $community_page = intval($rawtags[0]['data']); + } + if(is_array($contact) && intval($contact['forum']) != $community_page) { + q("update contact set forum = %d where id = %d limit 1", + intval($community_page), + intval($contact['id']) + ); + $contact['forum'] = (string) $community_page; + } + // process any deleted entries @@ -1987,6 +2001,19 @@ function local_delivery($importer,$data) { // NOTREACHED } + + $community_page = 0; + $rawtags = $feed->get_feed_tags( NAMESPACE_DFRN, 'community'); + if($rawtags) { + $community_page = intval($rawtags[0]['data']); + } + if(intval($importer['forum']) != $community_page) { + q("update contact set forum = %d where id = %d limit 1", + intval($community_page), + intval($importer['id']) + ); + $importer['forum'] = (string) $community_page; + } logger('local_delivery: feed item count = ' . $feed->get_item_quantity()); diff --git a/include/network.php b/include/network.php index c72919dd8b..22157ff188 100755 --- a/include/network.php +++ b/include/network.php @@ -303,7 +303,7 @@ function webfinger_dfrn($s,&$hcard) { if(! function_exists('webfinger')) { -function webfinger($s) { +function webfinger($s, $debug = false) { $host = ''; if(strstr($s,'@')) { $host = substr($s,strpos($s,'@') + 1); @@ -328,7 +328,7 @@ function webfinger($s) { }} if(! function_exists('lrdd')) { -function lrdd($uri) { +function lrdd($uri, $debug = false) { $a = get_app(); diff --git a/include/notifier.php b/include/notifier.php index 07edc70465..d63ad7ae7c 100755 --- a/include/notifier.php +++ b/include/notifier.php @@ -337,7 +337,9 @@ function notifier_run($argv, $argc){ '$picdate' => xmlify(datetime_convert('UTC','UTC',$owner['avatar-date'] . '+00:00' , ATOM_TIME)) , '$uridate' => xmlify(datetime_convert('UTC','UTC',$owner['uri-date'] . '+00:00' , ATOM_TIME)) , '$namdate' => xmlify(datetime_convert('UTC','UTC',$owner['name-date'] . '+00:00' , ATOM_TIME)) , - '$birthday' => $birthday + '$birthday' => $birthday, + '$community' => (($owner['page-flags'] == PAGE_COMMUNITY) ? '1' : '') + )); if($mail) { diff --git a/include/poller.php b/include/poller.php index 3bc98e36ff..8262c1d605 100755 --- a/include/poller.php +++ b/include/poller.php @@ -232,7 +232,7 @@ function poller_run($argv, $argc){ $importer_uid = $contact['uid']; - $r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `self` = 1 LIMIT 1", + $r = q("SELECT `contact`.*, `user`.`page-flags` FROM `contact` LEFT JOIN `user` on `contact`.`uid` = `user`.`uid` WHERE `user`.`uid` = %d AND `contact`.`self` = 1 LIMIT 1", intval($importer_uid) ); if(! count($r)) diff --git a/include/queue.php b/include/queue.php index d312b50f5a..7e92705be2 100755 --- a/include/queue.php +++ b/include/queue.php @@ -61,13 +61,18 @@ function queue_run($argv, $argc){ q("DELETE FROM `queue` WHERE `created` < UTC_TIMESTAMP() - INTERVAL 3 DAY"); } - if($queue_id) + if($queue_id) { $r = q("SELECT `id` FROM `queue` WHERE `id` = %d LIMIT 1", intval($queue_id) ); - else - $r = q("SELECT `id` FROM `queue` WHERE `last` < UTC_TIMESTAMP() - INTERVAL 15 MINUTE "); + } + else { + // For the first 12 hours we'll try to deliver every 15 minutes + // After that, we'll only attempt delivery once per hour. + + $r = q("SELECT `id` FROM `queue` WHERE (( `created` > UTC_TIMESTAMP() - INTERVAL 12 HOUR && `last` < UTC_TIMESTAMP() - INTERVAL 15 MINUTE ) OR ( `last` < UTC_TIMESTAMP() - INTERVAL 1 HOUR ))"); + } if(! count($r)){ return; } diff --git a/include/security.php b/include/security.php index 6ea515bffe..19e91eb63d 100755 --- a/include/security.php +++ b/include/security.php @@ -299,16 +299,16 @@ function item_permissions_sql($owner_id,$remote_verified = false,$groups = null) * Actually, important actions should not be triggered by Links / GET-Requests at all, but somethimes they still are, * so this mechanism brings in some damage control (the attacker would be able to forge a request to a form of this type, but not to forms of other types). */ -function get_form_security_token($typename = "") { +function get_form_security_token($typename = '') { $a = get_app(); $timestamp = time(); - $sec_hash = hash('whirlpool', $a->user["guid"] . $a->user["prvkey"] . session_id() . $timestamp . $typename); + $sec_hash = hash('whirlpool', $a->user['guid'] . $a->user['prvkey'] . session_id() . $timestamp . $typename); - return $timestamp . "." . $sec_hash; + return $timestamp . '.' . $sec_hash; } -function check_form_security_token($typename = "", $formname = 'form_security_token') { +function check_form_security_token($typename = '', $formname = 'form_security_token') { if (!x($_REQUEST, $formname)) return false; $hash = $_REQUEST[$formname]; @@ -316,10 +316,10 @@ function check_form_security_token($typename = "", $formname = 'form_security_to $a = get_app(); - $x = explode(".", $hash); + $x = explode('.', $hash); if (time() > (IntVal($x[0]) + $max_livetime)) return false; - $sec_hash = hash('whirlpool', $a->user["guid"] . $a->user["prvkey"] . session_id() . $x[0] . $typename); + $sec_hash = hash('whirlpool', $a->user['guid'] . $a->user['prvkey'] . session_id() . $x[0] . $typename); return ($sec_hash == $x[1]); } @@ -327,10 +327,20 @@ function check_form_security_token($typename = "", $formname = 'form_security_to function check_form_security_std_err_msg() { return t('The form security token was not correct. This probably happened because the form has been opened for too long (>3 hours) before subitting it.') . EOL; } -function check_form_security_token_redirectOnErr($err_redirect, $typename = "", $formname = 'form_security_token') { +function check_form_security_token_redirectOnErr($err_redirect, $typename = '', $formname = 'form_security_token') { if (!check_form_security_token($typename, $formname)) { $a = get_app(); + logger('check_form_security_token failed: user ' . $a->user['guid'] . ' - form element ' . $typename); + logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA); notice( check_form_security_std_err_msg() ); goaway($a->get_baseurl() . $err_redirect ); } } +function check_form_security_token_ForbiddenOnErr($typename = '', $formname = 'form_security_token') { + if (!check_form_security_token($typename, $formname)) { + logger('check_form_security_token failed: user ' . $a->user['guid'] . ' - form element ' . $typename); + logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA); + header('HTTP/1.1 403 Forbidden'); + killme(); + } +} \ No newline at end of file diff --git a/include/template_processor.php b/include/template_processor.php index 93bf391c5f..4c317efe1f 100755 --- a/include/template_processor.php +++ b/include/template_processor.php @@ -203,7 +203,7 @@ $os=$s; $count++; $s = $this->var_replace($s); } - return template_unescape($s); + return $s; } } diff --git a/include/text.php b/include/text.php index cdf82ca87d..89acbf9fab 100644 --- a/include/text.php +++ b/include/text.php @@ -20,7 +20,7 @@ function replace_macros($s,$r) { //$a = get_app(); //$a->page['debug'] .= "$tt
\n"; - return $r; + return template_unescape($r); }} diff --git a/js/main.js b/js/main.js index c20455ad14..babd2a1c38 100755 --- a/js/main.js +++ b/js/main.js @@ -486,9 +486,9 @@ return a.join(''); } - function groupChangeMember(gid,cid) { + function groupChangeMember(gid, cid, sec_token) { $('body .fakelink').css('cursor', 'wait'); - $.get('group/' + gid + '/' + cid, function(data) { + $.get('group/' + gid + '/' + cid + "?t=" + sec_token, function(data) { $('#group-update-wrapper').html(data); $('body .fakelink').css('cursor', 'auto'); }); diff --git a/mod/dfrn_poll.php b/mod/dfrn_poll.php index b12e071328..fe5cd49063 100755 --- a/mod/dfrn_poll.php +++ b/mod/dfrn_poll.php @@ -199,7 +199,7 @@ function dfrn_poll_post(&$a) { $ptype = ((x($_POST,'type')) ? $_POST['type'] : ''); $dfrn_version = ((x($_POST,'dfrn_version')) ? (float) $_POST['dfrn_version'] : 2.0); $perm = ((x($_POST,'perm')) ? $_POST['perm'] : 'r'); - + if($ptype === 'profile-check') { if((strlen($challenge)) && (strlen($sec))) { @@ -358,8 +358,8 @@ function dfrn_poll_post(&$a) { intval($contact_id) ); } - } - + } + header("Content-type: application/atom+xml"); $o = get_feed_for($a,$dfrn_id, $a->argv[1], $last_update, $direction); echo $o; diff --git a/mod/directory.php b/mod/directory.php index 962188945f..7f18bd0268 100755 --- a/mod/directory.php +++ b/mod/directory.php @@ -25,10 +25,6 @@ function directory_post(&$a) { function directory_content(&$a) { - $everything = (($a->argc > 1 && $a->argv[1] === 'all' && is_site_admin()) ? true : false); - if(x($_SESSION,'submanage') && intval($_SESSION['submanage'])) - $everything = false; - if((get_config('system','block_public')) && (! local_user()) && (! remote_user())) { notice( t('Public access denied.') . EOL); return; @@ -52,12 +48,6 @@ function directory_content(&$a) { } $admin = ''; - if(is_site_admin()) { - if($everything) - $admin = ''; - else - $admin = ''; - } $o .= replace_macros($tpl, array( '$search' => $search, @@ -73,17 +63,14 @@ function directory_content(&$a) { $search = dbesc($search); $sql_extra = ((strlen($search)) ? " AND MATCH (`profile`.`name`, `user`.`nickname`, `pdesc`, `locality`,`region`,`country-name`,`gender`,`marital`,`sexual`,`about`,`romance`,`work`,`education`,`pub_keywords`,`prv_keywords` ) AGAINST ('$search' IN BOOLEAN MODE) " : ""); - $publish = ((get_config('system','publish_all') || $everything) ? '' : " AND `publish` = 1 " ); + $publish = ((get_config('system','publish_all')) ? '' : " AND `publish` = 1 " ); $r = q("SELECT COUNT(*) AS `total` FROM `profile` LEFT JOIN `user` ON `user`.`uid` = `profile`.`uid` WHERE `is-default` = 1 $publish AND `user`.`blocked` = 0 $sql_extra "); if(count($r)) $a->set_pager_total($r[0]['total']); - if($everything) - $order = " ORDER BY `register_date` DESC "; - else - $order = " ORDER BY `name` ASC "; + $order = " ORDER BY `name` ASC "; $r = q("SELECT `profile`.*, `profile`.`uid` AS `profile_uid`, `user`.`nickname`, `user`.`timezone` FROM `profile` LEFT JOIN `user` ON `user`.`uid` = `profile`.`uid` WHERE `is-default` = 1 $publish AND `user`.`blocked` = 0 $sql_extra $order LIMIT %d , %d ", diff --git a/mod/group.php b/mod/group.php index 13401ef0d9..a282dbccf5 100755 --- a/mod/group.php +++ b/mod/group.php @@ -21,6 +21,8 @@ function group_post(&$a) { } if(($a->argc == 2) && ($a->argv[1] === 'new')) { + check_form_security_token_redirectOnErr('/group/new', 'group_edit'); + $name = notags(trim($_POST['groupname'])); $r = group_add(local_user(),$name); if($r) { @@ -35,6 +37,8 @@ function group_post(&$a) { return; // NOTREACHED } if(($a->argc == 2) && (intval($a->argv[1]))) { + check_form_security_token_redirectOnErr('/group', 'group_edit'); + $r = q("SELECT * FROM `group` WHERE `id` = %d AND `uid` = %d LIMIT 1", intval($a->argv[1]), intval(local_user()) @@ -62,7 +66,8 @@ function group_post(&$a) { } function group_content(&$a) { - + $change = false; + if(! local_user()) { notice( t('Permission denied') . EOL); return; @@ -83,14 +88,17 @@ function group_content(&$a) { return replace_macros($tpl, $context + array( '$title' => t('Create a group of contacts/friends.'), - '$gname' => array('groupname',t('Group Name: '),$group['name'], ''), + '$gname' => array('groupname',t('Group Name: '), '', ''), '$gid' => 'new', + '$form_security_token' => get_form_security_token("group_edit"), )); } if(($a->argc == 3) && ($a->argv[1] === 'drop')) { + check_form_security_token_redirectOnErr('/group', 'group_drop', 't'); + if(intval($a->argv[2])) { $r = q("SELECT `name` FROM `group` WHERE `id` = %d AND `uid` = %d LIMIT 1", intval($a->argv[2]), @@ -108,6 +116,8 @@ function group_content(&$a) { } if(($a->argc > 2) && intval($a->argv[1]) && intval($a->argv[2])) { + check_form_security_token_ForbiddenOnErr('group_member_change', 't'); + $r = q("SELECT `id` FROM `contact` WHERE `id` = %d AND `uid` = %d and `self` = 0 and `blocked` = 0 AND `pending` = 0 LIMIT 1", intval($a->argv[2]), intval(local_user()) @@ -155,7 +165,8 @@ function group_content(&$a) { $drop_tpl = get_markup_template('group_drop.tpl'); $drop_txt = replace_macros($drop_tpl, array( '$id' => $group['id'], - '$delete' => t('Delete') + '$delete' => t('Delete'), + '$form_security_token' => get_form_security_token("group_drop"), )); $celeb = ((($a->user['page-flags'] == PAGE_SOAPBOX) || ($a->user['page-flags'] == PAGE_COMMUNITY)) ? true : false); @@ -166,6 +177,7 @@ function group_content(&$a) { '$gname' => array('groupname',t('Group Name: '),$group['name'], ''), '$gid' => $group['id'], '$drop' => $drop_txt, + '$form_security_token' => get_form_security_token('group_edit'), ); } @@ -177,14 +189,14 @@ function group_content(&$a) { 'label_members' => t('Members'), 'members' => array(), 'label_contacts' => t('All Contacts'), - 'contacts' => arraY(), + 'contacts' => array(), ); - + $sec_token = addslashes(get_form_security_token('group_member_change')); $textmode = (($switchtotext && (count($members) > $switchtotext)) ? true : false); foreach($members as $member) { if($member['url']) { - $member['click'] = 'groupChangeMember(' . $group['id'] . ',' . $member['id'] . '); return true;'; + $member['click'] = 'groupChangeMember(' . $group['id'] . ',' . $member['id'] . ',\'' . $sec_token . '\'); return true;'; $groupeditor['members'][] = micropro($member,true,'mpgroup', $textmode); } else @@ -199,7 +211,7 @@ function group_content(&$a) { $textmode = (($switchtotext && (count($r) > $switchtotext)) ? true : false); foreach($r as $member) { if(! in_array($member['id'],$preselected)) { - $member['click'] = 'groupChangeMember(' . $group['id'] . ',' . $member['id'] . '); return true;'; + $member['click'] = 'groupChangeMember(' . $group['id'] . ',' . $member['id'] . ',\'' . $sec_token . '\'); return true;'; $groupeditor['contacts'][] = micropro($member,true,'mpall', $textmode); } } diff --git a/mod/photos.php b/mod/photos.php index e40ae0d74a..4406780d3d 100755 --- a/mod/photos.php +++ b/mod/photos.php @@ -1069,7 +1069,7 @@ function photos_content(&$a) { if($can_post && ($ph[0]['uid'] == $owner_uid)) { $tools = array( 'edit' => array($a->get_baseurl() . '/photos/' . $a->data['user']['nickname'] . '/image/' . $datum . (($cmd === 'edit') ? '' : '/edit'), (($cmd === 'edit') ? t('View photo') : t('Edit photo'))), - 'profile'=>array($a->get_baseurl() . '/profile_photo/use/'.$ph[0]['resource-id'], t('Use as profile photo')), + 'profile'=>array($a->get_baseurl() . '/profile_photo/use/'.$ph[0]['resource-id'] . '?form_security_token=' . get_form_security_token('profile_photo'), t('Use as profile photo')), ); // lock diff --git a/view/atom_feed.tpl b/view/atom_feed.tpl index 72cf8e4fd8..2feb547ee2 100755 --- a/view/atom_feed.tpl +++ b/view/atom_feed.tpl @@ -16,6 +16,7 @@ $hub $salmon + $community $feed_updated diff --git a/view/atom_feed_dfrn.tpl b/view/atom_feed_dfrn.tpl index 3d6bcc5b5a..0bae62b526 100755 --- a/view/atom_feed_dfrn.tpl +++ b/view/atom_feed_dfrn.tpl @@ -12,10 +12,11 @@ $feed_id $feed_title - Friendika + Friendica $hub $salmon + $community $feed_updated diff --git a/view/group_drop.tpl b/view/group_drop.tpl index cbae1610f4..2cbebbb8e5 100755 --- a/view/group_drop.tpl +++ b/view/group_drop.tpl @@ -1,5 +1,5 @@
-
+ {{ inc field_input.tpl with $field=$gname }}{{ endinc }} {{ if $drop }}$drop{{ endif }} diff --git a/view/theme/dispy-dark/style.css b/view/theme/dispy-dark/style.css index b4aefbbf23..eaaa0acbd0 100644 --- a/view/theme/dispy-dark/style.css +++ b/view/theme/dispy-dark/style.css @@ -1258,7 +1258,7 @@ section { } [class^="comment-edit-text"] { margin: 5px 0 10px 20px; - width: 86.5%; + width: 84.5%; } .comment-edit-text-empty { height: 20px; diff --git a/view/theme/dispy/style.css b/view/theme/dispy/style.css index 26ac08c8c5..812c5ee2e6 100644 --- a/view/theme/dispy/style.css +++ b/view/theme/dispy/style.css @@ -1256,7 +1256,7 @@ section { } [class^="comment-edit-text"] { margin: 5px 0 10px 20px; - width: 86.5%; + width: 84.5%; } .comment-edit-text-empty { height: 20px;