Commit Graph

144 Commits

Author SHA1 Message Date
Evan Prodromou
1525acdca1 Extend authorization framework to cover login and API use
I've extended the rights framework (centering on the Right class and Profile::hasRight()) to cover
Web login and API use. This will make it possible to prevent login and API use by users.

I added two new Right constants to the Right class: WEBLOGIN and API. I check these rights using
Profile::hasRight() when initializing users. If the rights check fails, I throw an exception.

I created a new AuthorizationException class for this particular
exception, in order to allow a different UI for these kinds of exceptions (or whatever).
2011-02-21 10:20:42 -05:00
Brion Vibber
454a980bd4 Fix for failure/exception on subscription/subscriber lists when deleted profiles are stuck in cached list.
Workaround for deleted profiles still appearing in cached subscriptions/subscribers lists: if we couldn't fetch them, don't include them in the ArrayWrapper.
ArrayWrapper doesn't deal well with null entries, which aren't meant to happen in how it works. This code has recently changed from dying directly with a PHP fatal error in that case to throwing an exception, which allows tracking down the caller.

It looks like there might be some cases where profiles and their matching subscriptions get deleted, but the subscription entries don't get properly cleared from cache... that still bears further investigation. The regular code path looks ok; calls Subscription::cancel() from code called in Profile::delete(); but if they're batch-deleted instead of one row at a time, that could fail to trigger.
2011-02-11 13:21:53 -08:00
Zach Copley
df19e88323 Atom output - Reinstate activity:actor and activity:subject
w/deprecation warnings. Also add statusnet:profile_info back into
author/actor.
2011-02-09 23:18:14 -08:00
Brion Vibber
90c7ff1983 Merge branch 'master' into 0.9.x 2010-12-28 11:37:38 -08:00
Brion Vibber
d3d9797496 Prevent group creation by silenced users.
* adds Right::CREATEGROUP
* logic in Profile::hasRight() checks for silencing
* NewgroupAction checks for the permission before letting you see or process the form in the UI
* User_group::register() logic does a low-level check on the specified initial group admin, and rejects creation if that user doesn't have the right; guaranteeing that API methods etc will also have this restriction applied sensibly.
2010-12-28 11:34:02 -08:00
Evan Prodromou
9a6ceb3303 Merge branch 'righttoleave' into 0.9.x 2010-12-22 11:22:51 -08:00
Brion Vibber
4adf551f9f Update sorting for user tagged timelines (indexing was bad before and remains bad -- we need some DB changes to make this one nice) 2010-12-17 13:45:40 -08:00
Brion Vibber
4cd3a0756b Update notice sorting for profile streams; extract more common code to Notice::addSinceId() and Notice::addMaxId() 2010-12-17 13:20:38 -08:00
Evan Prodromou
75aaa98462 define rights for account maintenance and default rules 2010-12-13 16:28:32 -05:00
Zach Copley
bb55784e90 Move getConnectedApps() from Profile to User, where it belongs 2010-12-12 17:37:42 -08:00
Evan Prodromou
7285bbc93b Subscription stream functions
Made two new functions, Subscription::bySubscriber() and
Subscription::bySubscribed(), to get streams of Subscription objects.

Converted Profile::getSubscribers() and Profile::getSubscriptions() to
use these functions.
2010-12-11 10:24:46 -05:00
Brion Vibber
407663fb40 Merge branch 'master' of gitorious.org:statusnet/mainline into 0.9.x 2010-11-19 12:44:43 -08:00
Brion Vibber
4b01dd8b2e Ticket #2441: fix deletion of avatars when a profile is deleted.
Code was doing a batch call to $avatar->delete() which fails to properly engage the file deletion code. Calling the existing profile->delete_avatars() function deletes them individually, which makes it all work nice again.
2010-11-19 12:40:18 -08:00
Brion Vibber
e4eb3b3dfd Merge branch 'master' of gitorious.org:statusnet/mainline into 0.9.x 2010-11-15 17:36:48 -08:00
Brion Vibber
0d0e51292d some User -> Profile cleanup to help in adapting the profile page action to show stuff for remote users. Subscriptions, groups, roles, etc are all on profiles now so go ahead and use em. 2010-11-15 15:32:57 -08:00
Siebrand Mazeland
a65362f7fa Add context for different uses of "%1$s (%2$s)" 2010-11-02 23:08:59 +01:00
Brion Vibber
426cda5e1f Alternate pretty-title tweaks for #2668 2010-11-02 13:42:44 -07:00
Evan Prodromou
aef88c7cee max_id is inclusive 2010-10-25 11:18:49 -04:00
Evan Prodromou
968f9b0513 change max_id from < to <= 2010-10-25 11:08:53 -04:00
Evan Prodromou
1d85bfece1 New events when granting and revoking roles
Four new events for when roles are granted or revoked.
2010-10-22 10:31:50 -04:00
Zach Copley
e8b6d7c946 Add support for an anonymous OAuth consumer. Note: this requires a
small DB tweak.  Oauth_application_user needs to have the primary
compound key: (profile_id, application_id, token).

http://status.net/open-source/issues/2761

This should also make it possible to have multiple access tokens
per application.

http://status.net/open-source/issues/2788
2010-10-19 20:54:53 -07:00
Brion Vibber
f4f16af8ac Add a basic group deletion for moderator users. 2010-10-12 15:49:20 -07:00
Zach Copley
3960c9ad39 Move blowFavesCache() to Profile 2010-09-29 16:35:12 -07:00
Zach Copley
c19e592fa8 Move hasFave() to Profile 2010-09-29 16:35:12 -07:00
Siebrand Mazeland
9587f9f55b * i18n/L10n and translator documentation updates.
* whitespace and indentation updates
2010-09-28 23:42:18 +02:00
Evan Prodromou
974ac48771 bug in Profile::fromURI() wasn't returning profile 2010-09-01 16:55:16 -04:00
Evan Prodromou
7bec455a21 Static method to get a profile based on an URI 2010-09-01 16:15:22 -04:00
Brion Vibber
7e55fc0044 OStatus/FeedSub: tweaked PuSH feed garbage collection so other plugins can declare usage of a low-level feed or an OStatus profile besides profile subscriptions & group memberships.
SubMirror: redid add-mirror frontend to accept a feed URL, then pass that on to OStatus, instead of pulling from your subscriptions.
Profile: tweaked subscriberCount() so it doesn't subtract 1 for foreign profiles who aren't subscribed to themselves; instead excludes the self-subscription in the count query.
Memcached_DataObject: tweak to avoid extra error spew in the DB error raising

Work in progress: tweaking feedsub garbage collection so we can count other uses
2010-08-06 11:49:52 -07:00
Evan Prodromou
2ba36fc242 Merge branch 'activityhooks' into 0.9.x
Conflicts:
	classes/Notice.php
2010-08-03 16:01:18 -07:00
Evan Prodromou
f83171824f correctly show <source> for atom feeds 2010-08-03 15:50:21 -07:00
Siebrand Mazeland
8f8588026b Fixes for messages after review by Brion. 2010-07-30 19:25:55 +02:00
Siebrand Mazeland
125ff142e8 * mark a few message for translation
* add translator documentation
2010-07-29 13:36:08 +02:00
Zach Copley
1eec7f779f - Add profile_info tag to Atom author
- Normalize xmlns:statusnet links in the API
2010-06-22 16:28:06 -07:00
Brion Vibber
f1c01f9ead Temporary hack until notice_profile_id_idx is updated
to (profile_id, id) instead of (profile_id, created, id).
It's been falling back to PRIMARY instead, which is really
very inefficient for a profile that hasn't posted in a few
months. Even though forcing the index will cause a filesort,
it's usually going to be better. Even for large profiles it
seems much faster than the badly-indexed query.
2010-04-01 10:17:17 -07:00
Evan Prodromou
c1c7feedbd do complete unsubscribe process when deleting a user 2010-03-31 15:02:19 -04:00
Brion Vibber
441e52718e Background deletion of user accounts. Notices are deleted in chunks, then the user itself when they're all gone.
While deletion is in progress, the account is locked with the 'deleted' role, which disables all actions with rights control.

Todo:
* Pretty up the notice on the profile page about the pending delete. Show status?
* Possibly more thorough account disabling, such as disallowing all use for login and access.
* Improve error recovery; worst case is that an account gets left locked in 'deleted' state but the queue jobs have gotten dropped out. This would leave the username in use and any undeleted notices in place.
2010-03-15 16:08:00 -07:00
Brion Vibber
ce92bc7143 Drop timestamp cutoff parameter from User::getCurrentNotice() and Profile::getCurrentNotice().
It's not currently used, and won't be efficient when we update the notice.profile_id_idx index to optimize for our id-based sorting when pulling user post lists for profile pages, feeds etc.
2010-03-11 11:01:01 -08:00
Brion Vibber
4a2511139e Initial user role controls on profile pages, for owner to add/remove administrator and moderator options.
Buttons need to be themed.
2010-03-03 15:43:49 -08:00
Brion Vibber
3bb42d1170 Use poster's subscribed groups to disambiguate group linking when a remote group and a local group exist with the same name. (If you're a member of two groups with the same name though, there's not a defined winner.) 2010-03-03 19:00:02 +00:00
Brion Vibber
6b134ae4c7 Dropped deprecated timestamp-based 'since' parameter for all API methods. When it sneaks in it can cause some very slow queries due to mismatches with the indexing.
Twitter removed 'since' support some time ago, and we've already removed it from the public timeline, so it shouldn't be missed.
2010-03-02 11:54:02 -08:00
Zach Copley
6a711c6cdc Move ActivityObject and related stuff to core 2010-02-22 17:10:50 -08:00
Evan Prodromou
b79d4ed6a1 add PoCo preferredUsername for nickname in Profile::asActivityNoun() 2010-02-22 07:43:12 -05:00
Evan Prodromou
fae5a15a88 add strongly-suggested link to Profile::asActivityNoun() 2010-02-22 07:40:20 -05:00
Zach Copley
35be39e30e Merge branch 'testing' of git@gitorious.org:statusnet/mainline into testing 2010-02-22 01:23:24 -08:00
Zach Copley
47300a2ae9 Upgrade profile-based activity noun to have more complete set of
profile fields
2010-02-22 01:21:34 -08:00
Evan Prodromou
a745d38d6d slight rearrangement of getting profile URIs 2010-02-21 22:52:27 -05:00
Evan Prodromou
52e8aa798a Refactor subs_* functions for remote use
The subs_* functions in subs.php have made a lot of assumptions
about users versus profiles. I've refactored the functions to
be methods of the Subscription class instead, and to use Profile
objects throughout.

Some of the checks for blocks or existing subscriptions depended
on users or profiles, so I've moved those methods around a bit.

I've left stubs for the subs_* functions until we get time to replace
them.
2010-02-19 08:16:45 -05:00
Zach Copley
2cb243808c More sensical profile::getUri() 2010-02-16 20:13:39 -08:00
Zach Copley
c892726c80 Take remote profiles into account when looking up canonical profile URIs 2010-02-16 16:22:58 -08:00
Zach Copley
eea52c708b Add rel="avatar" to img links in <activity:actor> stanzas 2010-02-16 11:32:10 -08:00