Commit Graph

1998 Commits

Author SHA1 Message Date
Mikael Nordfeldth
1535ae5e3b Call self:: instead of Memcached_DataObject 2013-11-04 17:38:40 +01:00
Mikael Nordfeldth
5e054bfdb3 Minor typing stuff and syntax fixes 2013-11-02 17:28:11 +01:00
Mikael Nordfeldth
a6f99e7296 Implement a User_group fetching function for Local_group 2013-11-02 17:27:50 +01:00
Mikael Nordfeldth
05b603b1da Less raw SQL in User_group 2013-11-02 14:30:29 +01:00
Mikael Nordfeldth
d289ccb7f2 Minor PHP stylistic features and typing stuff 2013-11-02 13:05:08 +01:00
Mikael Nordfeldth
bd86519d50 Minor labeling things for StatusNet to GNU social migration 2013-11-01 14:04:40 +01:00
Mikael Nordfeldth
20bd0c1136 getStreamName will now return nick/fullname based on current user's preferred representation 2013-10-30 13:05:04 +01:00
Mikael Nordfeldth
09ef1fff69 NoticeListItem attentions showed double for User_group
...because they each have their own Profile now! Whiie!
2013-10-30 12:56:17 +01:00
Mikael Nordfeldth
71978a84fd File oEmbed lookup failure is not as severe as LOG_ERR 2013-10-29 14:09:00 +01:00
Mikael Nordfeldth
9b6633698c Group discovery from text functions polished
Also removed the entirely unused saveGroups function.

Now avoiding multiGet and using listFind in Profile->getGroups()
so we don't have to deal with ArrayWrapper.
2013-10-29 13:40:14 +01:00
Mikael Nordfeldth
2dfa0bfcee function delete in dataobjects now don't break strict syntax 2013-10-29 10:20:57 +01:00
Mikael Nordfeldth
23a6b4595f Reworked the ActivityContext->attention structure
Removing Evan's obscure attentionType solution and directly using the attention array
2013-10-28 22:21:14 +01:00
Mikael Nordfeldth
f99c4b7f07 More OOP-ish tests using instanceof 2013-10-28 22:18:00 +01:00
Mikael Nordfeldth
3ba6374b9d Memcached_DataObject extensions got their update functions more consistent 2013-10-28 19:36:05 +01:00
Mikael Nordfeldth
9ea57e5cb2 getAcctUri function added with related exception
Used in ActivityObject for Atom Title generation.

New events:
    * StartGetProfileAcctUri
    * EndGetProfileAcctUri
2013-10-28 18:21:10 +01:00
Mikael Nordfeldth
a5d8707658 Use getParent instead of manual reply_to lookup 2013-10-28 17:28:10 +01:00
Mikael Nordfeldth
fcba540a14 Removed legacy OMB. Use OStatus for remote profiles. 2013-10-28 16:22:09 +01:00
Mikael Nordfeldth
340740266c Notice class local cache fixes 2013-10-23 12:33:37 +02:00
Mikael Nordfeldth
a980f4ed33 Call memcache() as a static object (it's a static class) 2013-10-23 12:02:15 +02:00
Mikael Nordfeldth
f54584c126 Don't disconnect a DB_Error, instead log for better understanding. 2013-10-22 18:56:56 +02:00
Mikael Nordfeldth
e274f69634 Notice->getParent function fixes
NoResultException was the wrong choice in this case, because it was
not a DB_DataObject instance that performed the search, but a static
call to the Notice class.
2013-10-22 15:37:19 +02:00
Mikael Nordfeldth
355c37bc3f Revert "Better ID for notice activity"
This reverts commit 8cc4660bd9.

This seems like something Evan only did to make pump.io import notices easier,
or maybe he just wanted to get rid of the identi.ca URLs?
2013-10-21 23:25:35 +02:00
Mikael Nordfeldth
f4c0cff032 Only use ActivityVerb::SHARE (forwardId is deprecated)
StatusNet >= 1.0 support it.
2013-10-21 22:25:19 +02:00
Mikael Nordfeldth
3cab5b36c1 Replace common_good_random with common_random_hexstr 2013-10-21 13:20:30 +02:00
Mikael Nordfeldth
df5aa6f93a Exception wasn't thrown. How does PHP handle daisychained calls, really? 2013-10-21 09:09:32 +02:00
Mikael Nordfeldth
9811783f19 Strict type check against false in User_group 2013-10-20 17:15:46 +02:00
Mikael Nordfeldth
e868ebfe77 WebFingerResource introduced, instead of strict Profile object
This is the beginning of getting notice URI info via WebFinger

*XrdActionLinks is renamed *WebFingerProfileLinks, check EVENTS.txt
in WebFinger plugin for new events.
2013-10-20 15:48:14 +02:00
Mikael Nordfeldth
2a5ba1f74b Core and Default plugins separated, now loads on install
_flow_ reported on IRC that install.php had stopped working. This was
because default plugins had been put into two separate lists, and the
list with AuthCrypt was never loaded when performing an installation.

Core plugins cannot be disabled.

I also removed the Memcache autodetection thing since it should be
solved in a more elegant manner.
2013-10-19 14:38:15 +02:00
Mikael Nordfeldth
145fbf1130 Move nick updating of User entry to Profile->update()
Also, timezone and language in User table weren't indexes. So no need
to do them separately.
2013-10-17 16:38:42 +02:00
Mikael Nordfeldth
274b70784f When updating a User_group nickname, correlate Local_group and Profile
...no need to make a separate call to Local_group's setNickname all the time,
or a bunch of redundant code for the Profile table.

Next up is User->update()...
2013-10-17 13:49:20 +02:00
Mikael Nordfeldth
6ed66d9c76 Local_group and User are now assumed to be in same namespace 2013-10-17 01:27:01 +02:00
Mikael Nordfeldth
38a69b5597 Better checks during User::register and improved Nickname checks 2013-10-16 14:58:06 +02:00
Mikael Nordfeldth
352bef2374 Add support (and upgrade path) for group profiles 2013-10-15 11:12:50 +02:00
Mikael Nordfeldth
202f6ad7a9 Removing legacy code and fixup_* for Status_network tags 2013-10-15 10:54:03 +02:00
Mikael Nordfeldth
8202e922aa Do calls straight to the result of getProfile 2013-10-15 02:34:10 +02:00
Mikael Nordfeldth
4e8d7795d0 Moved favoriteNotices from User to Profile class 2013-10-15 02:15:58 +02:00
Mikael Nordfeldth
fdbb528e7a getTaggedSub-stuff moved to Profile class 2013-10-15 02:00:27 +02:00
Mikael Nordfeldth
1dc051a9eb We never accept a user without a Profile 2013-10-15 01:00:27 +02:00
Mikael Nordfeldth
f46d675a20 GNU social is with a minor s. 2013-10-15 00:20:36 +02:00
Mikael Nordfeldth
b903db059c static:: call are less cluttery 2013-10-14 18:34:26 +02:00
Mikael Nordfeldth
a8bcdc905f common_sql_now() is recommended before DB_DataObject_Cast::dateTime() 2013-10-14 13:42:27 +02:00
Mikael Nordfeldth
53face3340 MDB2 now works with UTF-8 2013-10-14 13:18:26 +02:00
Mikael Nordfeldth
390556d932 Remote Profile Action from ModPlus now more generic 2013-10-08 21:08:02 +02:00
Mikael Nordfeldth
fcf47f315b Removed deprecated activity:subject 2013-10-08 15:06:19 +02:00
Mikael Nordfeldth
1d1951d4b0 common_sql_now() is recommended 2013-10-08 11:40:23 +02:00
Mikael Nordfeldth
9ddc40b6da NoResultException returns the failed object 2013-10-08 00:21:24 +02:00
Mikael Nordfeldth
87370f0cb1 URL shortening can now be disabled for the 'maxurllength'
Also, URL shortening now consistently uses 'maxurllength'...
2013-10-06 22:35:49 +02:00
Mikael Nordfeldth
34a6624452 Qvitter API changes (thanks hannes2peer)
I implemented changes from quitter.se's new API that their front-end qvitter
uses, https://github.com/hannesmannerheim/qvitter/blob/master/api-changes-1.1.1/CHANGES

However I left out the URL shortening commens, since I believe whatever behaviour
they experienced that caused them to implement this was a bug (or many) and should
be fixed in their proper areas and that shortening should not be entirely left
out in API calls.
2013-10-06 21:51:50 +02:00
Mikael Nordfeldth
3000adb33d pkeyGet unfortunately returns null (should throw NoResultException) on empty result 2013-10-06 20:04:09 +02:00
Mikael Nordfeldth
2770ef9718 listFind throws NoResultException on no results 2013-10-06 16:37:51 +02:00
Mikael Nordfeldth
fb94a16217 Moved Avatar retrieval into Avatar class
Backwards compatible functions are still in Profile class.
2013-10-06 15:55:06 +02:00
Mikael Nordfeldth
c3d46b81a8 Added Profile_prefs class for profile preferences
Profile_prefs aims to consolidate all the profile preferences into a
single table. Otherwise we end up with a bajillion *_prefs classes, like
User_urlshortener_prefs, or new fields in existing User/Profile classes,
like 'urlshorteningservice', 'homepage', 'phone_number', 'pet_name' etc.

Eventually we should migrate as many user-settable preferences as we can
into this system.

The data in Profile_prefs is organized by:
    * profile_id    Identify the current Profile.
    * namespace     Which plugin/section the preference is for.
    * topic         Preference name (like 'homepage')
    * data          Preference data (like 'https://gnu.org/')

The names 'topic' and 'data' are because 'key' and 'value' may be rather
ambigous when dealing with our DB_DataObject classes etc.
2013-10-06 14:07:00 +02:00
Mikael Nordfeldth
78f9629bf3 Moved shareLocation preference check to Profile class 2013-10-06 13:38:09 +02:00
Mikael Nordfeldth
64dbd93534 Some PHP strict warning fixes 2013-10-06 03:37:12 +02:00
Mikael Nordfeldth
ac819e5738 fillAvatars would avoid the *ProfileGetAvatar events 2013-10-06 03:01:43 +02:00
Mikael Nordfeldth
ba481d1e31 LOG_WARNING, not LOG_WARN 2013-10-06 01:33:10 +02:00
Mikael Nordfeldth
48da97f204 MediaFile code improvements, preparing to implement multi-attachments
Maybe in the future we can use this for anonymous file uploads too?
With some kind of anonymous/pseudonymous profile. That'd be neat.
2013-10-05 18:47:45 +02:00
Mikael Nordfeldth
e376905d93 Forgot to clean some debug logging 2013-10-05 14:33:02 +02:00
Mikael Nordfeldth
29de09a63d getParent throws exception
Should we get another Exception for if there's no parent? I think so,
because it's not really the same context as 'no result'.
2013-10-05 12:30:14 +02:00
Mikael Nordfeldth
d1558a1d8b Fix Avatar-unlink plus better logging in TwitterImport 2013-10-05 11:32:43 +02:00
Mikael Nordfeldth
597eb97bec is_a() with 3 params only supported in 5.3.9 anyway
So I removed those safety-checks, because now we can assume it works.
2013-10-04 23:10:59 +02:00
Mikael Nordfeldth
fb4e9b234d Twitter Import improvements. Still buggy?
Apparently mrvdb has problems with duplicate inserts and missing files when
unlinking. It could be due to coding, or it could be due to parallelizing.
2013-10-04 13:36:45 +02:00
Mikael Nordfeldth
cd6fa512ac Twitter Import + avatar fixes (cleaning up + fixing)
...there was also a typo in OstatussubAction ($avatarUrl not defined)
2013-10-03 15:28:51 +02:00
Mikael Nordfeldth
39f43e415d Do not name anything getOriginal (because DB_DataObject calls that)
Avatar->getOriginal has been renamed getUploaded
Notice->getOriginal has been renamed getParent
2013-10-02 15:01:11 +02:00
Mikael Nordfeldth
7979918ba9 Various minor Avatar fixes, but pretty necessary.
One typing thing. And a missed exception case.

Get src from displayUrl() instead of url for example.
2013-10-02 14:49:01 +02:00
Mikael Nordfeldth
b0dfc70a54 Properly unlink all old avatars when deleting/uploading a new
We're also now using $config['image']['jpegquality'] to determine the
quality setting for resized images.

To set Avatar max size, adjust $config['avatar']['maxsize']

The getAvatar call now throws exceptions too. Related changes applied.
Now let's move Profile->avatarUrl to the Avatar class!
2013-10-01 17:00:10 +02:00
Mikael Nordfeldth
cced063e47 Fixed regression in latest Avatar fixes
I thought typing would fix it, but there's a problem earlier in the
execution chain which will be fixed in the future.
2013-09-30 22:49:47 +02:00
Mikael Nordfeldth
24e0535001 Fix regression from WebFinger update for singleuser sites 2013-09-30 22:42:20 +02:00
Mikael Nordfeldth
a23c4aa236 Avatar resizing improvements and better code reuse
* getOriginal added to Avatar class
    This is a static function that retrieves the original avatar in a leaner
    way than Profile->getOriginalAvatar() did (see below).
    This will throw an Exception if there was none to be found.

* getProfileAvatars added to Avatar class
    This gets all Avatars from a profile and returns them in an array.

* newSize added to Avatar class
    This will scale an original avatar or throw an Exception (originally from
    Avatar::getOriginal) if one wasn't found.

* deleteFromProfile added to Avatar class
    Deletes all avatars for a Profile. This makes the code much smarter when
    removing all avatars from a user.
    Previously only specific, hardcoded (through constants) sizes would be
    deleted. If you ever changed lib/framework.php then many oddsized avatars
    would remain with the old method.

* Migrated Profile class to new Avatar::getOriginal support
    Profile class now uses Avatar::getOriginal through its own
    $this->getOriginalAvatar and thus remains backwards compatible.

* Updating stock GNU Social to use Avatar::getOriginal
    All places where core StatusNet code used the
    $profile->getOriginalAvatar, it will now useAvatar::getOriginal with
    proper error handling.

* Updated Profile class to use Avatar::newSize
    When doing setOriginal, the scaling will be done with the new method
    introduced in this merge.
    This also edits the _fillAvatar function to avoid adding NULL values to
    the array (which causes errors when attempting to access array entries as
    objects). See issue #3478 at http://status.net/open-source/issues/3478
2013-09-30 22:23:03 +02:00
Mikael Nordfeldth
a0e107f17f Implemented WebFinger and replaced our XRD with PEAR XML_XRD
New plugins:
* LRDD
    LRDD implements client-side RFC6415 and RFC7033 resource descriptor
    discovery procedures. I.e. LRDD, host-meta and WebFinger stuff.

    OStatus and OpenID now depend on the LRDD plugin (XML_XRD).

* WebFinger
    This plugin implements the server-side of RFC6415 and RFC7033. Note:
    WebFinger technically doesn't handle XRD, but we serve both that and
    JRD (JSON Resource Descriptor), depending on Accept header and one
    ugly hack to check for old StatusNet installations.

    WebFinger depends on LRDD.

We might make this even prettier by using Net_WebFinger, but it is not
currently RFC7033 compliant (no /.well-known/webfinger resource GETs).

Disabling the WebFinger plugin would effectively render your site non-
federated (which might be desired on a private site).

Disabling the LRDD plugin would make your site unable to do modern web
URI lookups (making life just a little bit harder).
2013-09-30 22:04:52 +02:00
Joshua Judson Rosen
8e53eb2b4c Correct a logic-inverting typo in handling of replies to group-posts.
The typo causes a tautology, which makes replies to group-posts always (or almost-always) go to the group(s).
cf. http://status.net/open-source/issues/3638
2013-09-29 23:14:00 +02:00
Mikael Nordfeldth
80c6af0ffe Uncaught exception when no subscribers/subscriptions in ProfileList 2013-09-26 00:47:56 +02:00
Mikael Nordfeldth
858d9cc3c4 maxNoticeLength test for url-shortening failed on maxContent==0
maxContent==0 implies that a notice text can be infinitely long, but
this value was directly transferred to maxNoticeLength, where 0 was
tested if it was longer than the notice length - which of course always
was false.

This commit fixes the problem for infinite length notices that always
got shortened.
2013-09-25 22:48:32 +02:00
Mikael Nordfeldth
9d3abc3600 $_PEAR now defined globally as new PEAR, so no static calls are made 2013-09-23 22:27:43 +02:00
Mikael Nordfeldth
50e611a1a9 Shouldn't define static classes as abstract.
New Exception class added (MethodNotImplementedException)
2013-09-21 18:53:18 +02:00
Mikael Nordfeldth
63306081bc Subscription "get by" functions now don't use ArrayWrappers
They were getting in the way of some strict-typing stuff.
2013-09-21 18:38:14 +02:00
Mikael Nordfeldth
39f21d63af New Managed_DataObject retrieval: listFind
This will return a proper DB_DataObject instance (as the desired class)
and not an array, or ArrayWrapper.
2013-09-21 18:18:03 +02:00
Mikael Nordfeldth
93e878d7ca Make better use of Subscription class
removed lib/subs.php as it was essentially only a wrapper for Subscription
2013-09-19 17:29:05 +02:00
Mikael Nordfeldth
a35344eb00 instanceof instead of is_a is faster (thanks quix0r) 2013-09-19 16:40:16 +02:00
Mikael Nordfeldth
c906ab11b0 8 chars was too little, 32 should be enough. 2013-09-18 01:21:53 +02:00
Mikael Nordfeldth
8140c4ff90 Bad call to joinAdd in Profile.php 2013-09-16 22:36:44 +02:00
Mikael Nordfeldth
83b852312a Events on user registrations now strictly typed 2013-09-14 18:37:05 +02:00
Mikael Nordfeldth
99312c8cc2 Declaring some more static functions properly
As a bonus I added type declaration on Profile_block::exists and
Subscription::exists respectively.
2013-09-09 23:28:20 +02:00
Mikael Nordfeldth
747fe9d59b Tidying up getUser calls to profiles and some events
getUser calls are much more strict, and one place where this was found was
in the (un)subscribe start/end event handlers, which resulted in making the
Subscription class a bit stricter, regarding ::start and ::cancel at least.
Several minor fixes in many files were made due to this.

This does NOT touch the Foreign_link function, which should also have a more
strict getUser call. That is a future project.
2013-09-09 23:03:34 +02:00
Mikael Nordfeldth
e5e3aeb4e6 newmessage (and Message class) fixed for FormAction
Also added a needLogin function to the Action class, which will do
redirect to login page with proper returnto setting.
2013-09-02 11:05:30 +02:00
Mikael Nordfeldth
79e3acf0f0 Moved multiGet into Managed_DataObject 2013-08-29 10:38:11 +02:00
Mikael Nordfeldth
b3e61ce7d0 Stronger typing, require array where param array 2013-08-29 10:27:39 +02:00
Mikael Nordfeldth
fac7371179 pivotGet moved into Managed_DataObject 2013-08-29 10:13:07 +02:00
Mikael Nordfeldth
40fe10e002 Woops, forgot auto_increment (comes with 'serial')
There are still some classes not ported (like Yammer import)
2013-08-21 15:02:44 +02:00
Mikael Nordfeldth
3a7261f70a IMPORTANT: Making prev. Memcached_DataObject working again with schemaDef
Lots of the Memcached_DataObject classes stopped working when upgraded to
Managed_DataObject because they lacked schemaDef().

I have _hopefully_ made it so that all the references to the table uses
each class' schemaDef, rather than the more manual ColumnDef stuff. Not
all plugins have been tested thoroughly yet.

NOTE: This is applied with getKV calls instead of staticGet, as it was
important for PHP Strict Standards compliance to avoid calling the non-
static functions statically. (unfortunately DB and DB_DataObject still do
this within themselves...)
2013-08-21 09:48:42 +02:00
Mikael Nordfeldth
b1465a7559 We can now do late static binding (PHP >= 5.3) 2013-08-20 09:43:51 +02:00
Mikael Nordfeldth
0785cc2469 Don't use DB_DataObject::factory (statically at least)
Not all instances of this has been fixed, but at least the ones
in the base class of Memcached_DataObject.

Avatar fix (in classes/Profile.php) requires a pkeyGet function
in the Avatar class (or as in this tree, the parent class of
Managed_DataObject)
2013-08-19 11:40:35 +02:00
Mikael Nordfeldth
97ce71e55d Managed_DataObject now has listGet for all classes 2013-08-18 21:02:33 +02:00
Mikael Nordfeldth
3ce5631b3c Memcached_DataObject::multicache is now properly defined static 2013-08-18 16:21:30 +02:00
Mikael Nordfeldth
861e838add pkeyGet is now static and more similar to getKV
Memcached_DataObject now defines
   * pkeyGetClass to avoid collision with Managed_DataObject pkeyGet
   * getClassKV to avoid collision with Managed_DataObject getKV
2013-08-18 15:42:51 +02:00
Mikael Nordfeldth
2a4dc77a63 The overloaded DB_DataObject function staticGet is now called getKV
I used this hacky sed-command (run it from your GNU Social root, or change the first grep's path to where it actually lies) to do a rough fix on all ::staticGet calls and rename them to ::getKV

   sed -i -s -e '/DataObject::staticGet/I!s/::staticGet/::getKV/Ig' $(grep -R ::staticGet `pwd`/* | grep -v -e '^extlib' | grep -v DataObject:: |grep -v "function staticGet"|cut -d: -f1 |sort |uniq)

If you're applying this, remember to change the Managed_DataObject and Memcached_DataObject function definitions of staticGet to getKV!

This might of course take some getting used to, or modification fo StatusNet plugins, but the result is that all the static calls (to staticGet) are now properly made without breaking PHP Strict Standards. Standards are there to be followed (and they caused some very bad confusion when used with get_called_class)

Reasonably any plugin or code that tests for the definition of 'GNUSOCIAL' or similar will take this change into consideration.
2013-08-18 13:13:56 +02:00
Mikael Nordfeldth
e95f77d34c Updating all Memcached_DataObject extended classes to Managed_DataObject
In some brief tests, this causes no problems.

In this state however, you would need to modify DB_DataObject to have a static declaration of staticget (and probably pkeyGet). The next commit will change the staticGet overload to a unique function name (like getKV for getKeyValue), which means we can properly call the function by PHP Strict Standards.
2013-08-18 12:32:32 +02:00
Mikael Nordfeldth
1a9a8ea730 staticGet for sub-Managed_DataObject classes now calls parent
The parent class for our database objects, Managed_DataObject, has a
dynamically assigned class in staticGet which objects get put into,
leaving us with less code to do the same thing.

We will probably have to move away from the DB_DataObject 'staticGet'
call as it is nowadays deprecated.
2013-08-12 19:46:44 +02:00
Mikael Nordfeldth
d115cddfb7 Managed_DataObject gets dynamic class detection for staticGet
Compatibility: get_called_class is implemented in PHP >= 5.3.0
2013-08-12 19:12:13 +02:00
Mikael Nordfeldth
3394efca60 staticGet is a static function
We always call staticGet statically, so we define it statically. Next
step is to remove a bunch of definitions of 'staticGet' from classes
that can instead fall back to a parent class in Managed_DataObject.

The ampersand is removed as we're returning a class anyway, which does
not need a reference (and when we return false, it means nothing).
2013-08-12 19:08:11 +02:00
Mikael Nordfeldth
794163c31f Default to NOT ask for current location for new users
It may be a bad experience for new users to immediately when trying
out the service be asked for their geographical position. Instead,
let them opt-in for this behaviour.
2013-08-12 14:40:55 +02:00
Mikael Nordfeldth
bd60ab2e05 fix typo on provider_url 2013-08-12 13:01:47 +02:00
Mikael Nordfeldth
56cfd2bf22 comparing a url scheme should be done case insensitively 2013-08-12 12:52:50 +02:00
Mikael Nordfeldth
f433f7ce77 if parameters are not 0, null then limit will be PROFILES_PER_PAGE
If you look at classes/User_group.php on line 412 in the current code, you can see that a call to $profile->getGroups() is made. This implies getGroups($offset=0, $limit=PROFILES_PER_PAGE) only giving a limited amount of groups.

This means only the first 20 groups in an ascending numerical order by locally stored User_group->id will be addressable with the bangtag syntax.

I solved this by making the getGroups() call to the same one made in Profile->isMember(), i.e. $profile->getGroups(0, null);
2013-08-12 12:50:23 +02:00
Evan Prodromou
3fc1d245a1 Merge 1.1.x into master 2013-07-16 10:57:06 -07:00
Joshua Wise
89ba820246 Escape argument to prevent SQL injection attack in
User::getTaggedSubscriptions()

This change escapes the $tag argument to prevent a SQL injection
attack in User::getTaggedSubscriptions(). The parameter was not
escaped higher up the stack, so this vulnerability could be exploited.
2013-07-16 10:47:29 -07:00
Joshua Wise
4a30da924a Escape argument to User::getTaggedSubscribers() to preven SQL injection
This change escapes the argument to User::getTaggedSubscribers() to
prevent SQL injection attacks.

Both code paths up the stack fail to escape this parameter, so this is
a potential SQL injection attack.
2013-07-16 10:43:56 -07:00
Joshua Wise
e54cb6958a Escape query parameters in Profile_tag::getTagged()
This patch escapes query parameters in Profile_tag::getTagged(). This
is an extra security step; since these parameters come out of the
database, it's unlikely that they would have dangerous data in them.
2013-07-16 10:35:44 -07:00
Joshua Wise
5b118b3781 Escape SQL parameter in Profile_tag::moveTag()
This change adds additional escapes for arguments to
Profile_tag::moveTag(). The arguments are canonicalized in the API and
Web UI paths higher up the stack, but this change makes sure that no
other paths can introduce SQL injection errors.
2013-07-16 10:27:30 -07:00
Joshua Wise
c5a710e081 Escape $tag passed to Profile::getTaggedSubscribers()
This patch escapes the $tag parameter in
Profile::getTaggedSubscribers(). The parameter is not escaped either
in actions/subscriptions.php or in actions/apiuserfollowers.php. So
there is a potential for SQL injection here.
2013-07-16 10:14:38 -07:00
Joshua Wise
3fb2c06cba Potential SQL injection in Local_group::setNickname()
This change escapes a parameter in Local_group::setNickname(). Review
of the code paths that call this function sanitize the parameter
higher up the stack, but it's escaped here to prevent mistakes later.

Note that nickname parameters are normally alphanum strings, so
there's not much danger in double-escaping them.
2013-07-16 10:11:26 -07:00
Joshua Wise
783e400d94 Potential SQL injection in Local_group::setNickname()
This change escapes a parameter in Local_group::setNickname(). Review
of the code paths that call this function sanitize the parameter
higher up the stack, but it's escaped here to prevent mistakes later.

Note that nickname parameters are normally alphanum strings, so
there's not much danger in double-escaping them.
2013-07-16 10:09:16 -07:00
Evan Prodromou
e502bba259 Slightly more robust group-membership conversion 2013-06-30 12:07:55 -04:00
Evan Prodromou
8cc4660bd9 Better ID for notice activity 2013-06-15 12:07:52 -04:00
Evan Prodromou
7a5bd495c5 Better ID for notice activity 2013-06-15 12:07:34 -04:00
Evan Prodromou
bb0cf686df Pass null to Profile::profileInfo() 2013-06-08 21:12:29 -04:00
Evan Prodromou
806f7d439a Bad variable in Message::asActivity() 2013-06-08 21:07:51 -04:00
Evan Prodromou
f189d0b438 Bad variable in Message::asActivity() 2013-06-08 21:04:51 -04:00
Evan Prodromou
96d7b68c50 Store direct messages as an activity 2013-06-08 17:54:27 -04:00
Evan Prodromou
9fd2c3e1c9 Store direct messages as an activity 2013-06-08 17:45:49 -04:00
Evan Prodromou
14a111189d Merge remote-tracking branch 'origin/master' 2013-06-08 14:57:20 -04:00
Evan Prodromou
2252a9ffaf Throw exception if subscription is invalid 2013-06-08 14:56:57 -04:00
Evan Prodromou
08eca420ca Add generator to JSON output 2013-06-07 11:35:06 -04:00
Evan Prodromou
fe2c0a9687 Add generator to JSON output 2013-06-07 11:34:54 -04:00
Evan Prodromou
25823f6e5b Some better context for notices as arrays 2013-06-07 03:11:33 -04:00
Evan Prodromou
6164940e8c Some better context for notices as arrays 2013-06-07 03:11:23 -04:00
Evan Prodromou
7229533b0f Use real attachments for JSON output 2013-06-05 09:39:43 -04:00
Evan Prodromou
772383e84b Use real attachments for JSON output 2013-06-05 09:39:13 -04:00
Evan Prodromou
15d466ebe6 Don't add content as title for notes 2013-06-04 19:53:07 -04:00
Evan Prodromou
736bc9cc96 Don't add content as title for notes 2013-06-04 19:52:38 -04:00
Evan Prodromou
b493f3839c Use better type, title for service 2013-06-04 16:31:17 -04:00
Evan Prodromou
08c72a00e8 Use better type, title for service 2013-06-04 16:30:40 -04:00
Evan Prodromou
04f6e4ce7b Better registrationActivity 2013-06-04 15:21:33 -04:00
Evan Prodromou
d81b257290 Better registrationActivity 2013-06-04 15:20:00 -04:00
Evan Prodromou
fa1a1851db Add an ID to registered service 2013-06-03 09:11:29 -04:00
Evan Prodromou
9f94ed81ee Add an ID to registered service 2013-06-03 08:55:00 -04:00
Evan Prodromou
7ad5ed1db9 Merge branch 'master' of gitorious.org:statusnet/mainline 2013-06-02 15:24:57 -04:00
Evan Prodromou
49d265faa0 Add a registration activity to the end of every backup 2013-06-02 14:41:41 -04:00
Evan Prodromou
cbb5586ab7 Add a registration activity to the end of every backup 2013-06-02 14:38:00 -04:00
Evan Prodromou
ea8151688e Throw an exception converting fave to activity for non-existent notice or profile 2013-05-24 09:27:21 -04:00
Evan Prodromou
b359854150 Throw an exception converting fave to activity for non-existent notice or profile 2013-05-24 09:26:58 -04:00
Evan Prodromou
c5ef1e661e By default Notice::asActivity has a null argument 2013-04-14 12:02:52 -04:00
Evan Prodromou
6f424eb80f If there's an exception in notice distribution, continue 2012-11-25 10:39:49 -05:00
Evan Prodromou
1c3c269ab4 cache key for member_ids 2012-07-04 14:39:26 -04:00
Evan Prodromou
69fb79caae Cache IDs rather than profile objects 2012-07-04 14:38:06 -04:00
Evan Prodromou
642b1044cc Better user group member queries 2012-07-04 14:12:11 -04:00
Evan Prodromou
acf52a3041 Hide stuff if there's an exception getting the profile 2012-05-04 23:37:12 -04:00
Evan Prodromou
5f2b62927c let author see own spam 2012-04-23 21:25:53 -04:00
Evan Prodromou
4746016dd5 Don't convert deleted notices into repeats in Notice::asActivity() 2012-04-23 19:15:12 -04:00
Evan Prodromou
04ad0838be Add spam-training, spam-reviewing rights
Replaced the check for a moderator role in certain spam-training and
-reviewing points. Make sure modhelpers can check, too.
2012-03-25 13:18:16 -04:00
Evan Prodromou
3e46a9b164 Make blocks work for non-subscription deliveries 2012-03-23 12:55:51 -04:00
Evan Prodromou
3b09465fc4 flush anonymous scope when a profile is silenced 2012-03-22 11:37:59 -04:00
Evan Prodromou
d98a4be24e Merge branch '1.0.x' 2012-03-21 16:40:51 -04:00
Evan Prodromou
1c625bd040 show correct conversation notice count 2012-03-21 16:40:42 -04:00
Evan Prodromou
8706d8d351 double-check profile 2012-03-21 13:05:15 -04:00
Evan Prodromou
ad1649e4ba Pass profile down to spam-hiding function 2012-03-21 13:02:45 -04:00
Evan Prodromou
d942072a6c Optionally hide spam from timelines
For sites with a lot of spam, this will hide that spam from timelines for everyone but moderators.
2012-03-21 10:26:00 -04:00
Evan Prodromou
d2d75823a4 Use this for scope check 2012-03-20 21:13:35 -04:00
Evan Prodromou
b65db93d29 New events for overriding scope checks 2012-03-20 16:39:43 -04:00
Evan Prodromou
b4da5f3785 Merge branch 'master' into 1.0.x
Conflicts:
	plugins/Blacklist/BlacklistPlugin.php
2012-03-08 06:08:11 -06:00
Evan Prodromou
3117c38044 Revert "when silencing, blow scope for not-logged-in users"
This reverts commit 04f71a42d3.
2011-12-31 09:35:22 -08:00
Evan Prodromou
70f9d41c4c Revert "Hide posts by silenced users"
This reverts commit d22fc7423c.
2011-12-31 09:34:42 -08:00
Evan Prodromou
04f71a42d3 when silencing, blow scope for not-logged-in users 2011-12-31 09:15:32 -08:00
Evan Prodromou
d22fc7423c Hide posts by silenced users 2011-12-31 08:56:54 -08:00
Siebrand Mazeland
2624afbcd4 Crazy gettext way to support two plurals in one string. 2011-12-28 12:44:42 +01:00
Siebrand Mazeland
eb124c5a67 Add missing space between two sentences. 2011-12-28 12:35:03 +01:00
Michele macno Azzolari
ad2fd9abd4 Fix whitescreen on recoverpassword with unknown user 2011-12-02 15:48:29 -05:00
Evan Prodromou
499e7d7c41 Squashed commit of the following:
commit 74c5e4cce42ae601c07b447e100f097c15ebf9d2
Author: Evan Prodromou <evan@status.net>
Date:   Thu Oct 20 12:48:52 2011 -0400

    Add back in some optimization indices lost in schema conversion

commit ef5c2acfcd123b25910a1c8bb4ae01a3f9608e5e
Author: Evan Prodromou <evan@status.net>
Date:   Thu Oct 20 12:29:57 2011 -0400

    restore some of the lost optimized indices on notice table
2011-10-20 12:50:39 -04:00
Evan Prodromou
22fead1b46 Squashed commit of the following:
commit fb1dfa9e98ded23fb5bdebae6465424a8cb8acd6
Author: Evan Prodromou <evan@status.net>
Date:   Thu Oct 20 10:40:07 2011 -0400

    Use popular notice stream for favorited page

commit e1d409ff738e39061ad35589d546ce9bed456975
Author: Evan Prodromou <evan@status.net>
Date:   Thu Oct 20 10:32:23 2011 -0400

    Use a caching stream for popular notice section

    Instead of a big cached query, we now use a caching notice stream for
    the popular notice section. It uses a single-table query at the
    bottom, then scopes the notices and filters for silenced users. This
    should be much nicer to our database servers.

    Also clears the popular cache when someone favors or disfavors
    something. A nice optimization would be to save the last weights and
    re-calculate them at invalidation time, adding the new notice (or not)
    depending on its own score. That will have to wait for another day,
    though.

commit e9b7ab4c26c95e755adaff53c3957dcfca31c16b
Author: Evan Prodromou <evan@status.net>
Date:   Thu Oct 20 10:31:14 2011 -0400

    Let CachingNoticeStream users skip the ';last' optimization
2011-10-20 10:40:39 -04:00
Brion Vibber
69e95bb9c8 Merge branch 'compound-keys-fix' into 1.0.x 2011-09-30 11:55:36 -07:00
Evan Prodromou
e3c010a870 try to check whether file exists over and over and over 2011-09-30 13:03:42 -04:00
Evan Prodromou
cd3bc8f4ef correct groups from Profile::getGroups() 2011-09-30 11:38:06 -04:00
Zach Copley
ba4bda9beb Fix display of group admin avatars 2011-09-30 00:57:54 +00:00
Brion Vibber
1d15037d6a Further fixes to Managed_DataObject::_allCacheKeys(): now uses self::multicacheKey() to generate the (possibly compound) keys, which makes it match the order of the keys used when calling pkeyGet().
This should resolve the issues darkip was reporting with user_im_prefs entries returning null immediately after insertion (seen with memcached off, so it was happening even with the built-in in-process cache in the Cache base class).

What was happening was that the initial pkeyGet() would end up saving a negative cache entry under the form with the fields sorted in the key, as via multicacheKey():

    'statusnet:blaguette:user_im_prefs:screenname,transport:brionv,sms' => 'N;'

then we'd do an insert() on the new entry, saving cache entries for the non-sorted key names returned by _allCacheKeys():

    'statusnet:blaguette:user_im_prefs:transport,screenname:sms,brionv' => 'O...'
    'statusnet:blaguette:user_im_prefs:user_id,transport:1234,sms' => 'O...'

but the next query via pkeyGet() still saw the negative lookup cache from before, and came back with null.

Now, _allCacheKeys() sorts the fields in the keys by using the same key-builder function, and queries pick up the same thing you just inserted. :)
2011-09-29 15:21:52 -07:00
Evan Prodromou
699a90f11c Show Event attendees in mini-list 2011-09-29 15:12:30 -04:00
Brion Vibber
69765a0550 Fix for caching with compound keys: add Managed_DataObject::_allCacheKeys() to override the one in Memcached_DataObject.
Memcached_DataObject doesn't quite fully understand unique indexes, and can't properly build cache keys for compound unique or primary keys.
Managed_DataObject has more information in its schema data, so we can build a proper list.
2011-09-28 18:32:43 -07:00
Evan Prodromou
c70c7db1c5 Remove unique key on file_thumbnail.url
We're getting "DB error: already exists" on thumbnails coming from
embed.ly. We don't need this to be unique, so let's avoid that.
2011-09-28 15:48:20 -04:00
Evan Prodromou
9143d4f384 Merge branch '1.0.x' into testing 2011-09-27 11:33:13 -04:00
Evan Prodromou
5ccae1313c Query errors in Profile_tag 2011-09-27 11:32:05 -04:00
Evan Prodromou
88c00facc8 fix getOtherTags() to not use joinAdd() 2011-09-27 10:51:02 -04:00
Evan Prodromou
707f90d012 missed an AND 2011-09-27 10:47:13 -04:00
Evan Prodromou
ce044c40fb rewrite Profile_tag::getTagsArray() so it doesn't use joinAdd() 2011-09-27 09:42:34 -04:00
Zach Copley
ec53e68cf2 Merge branch 'testing' of gitorious.org:statusnet/mainline into testing 2011-09-27 04:33:00 +00:00
Zach Copley
3b28f226c7 Facebook bridge back in business with new JS-SDK and OAuth 2.0 flow.
Might be better to rewrite the login mechanism to use server side flow
now that Facebook provides it.
2011-09-27 04:09:47 +00:00
Evan Prodromou
8c710ad2c1 Merge commit 'refs/merge-requests/158' of git://gitorious.org/statusnet/mainline into merge-requests/158
Conflicts:
	classes/Profile_list.php
	lib/peopletagnoticestream.php
2011-09-26 17:11:49 -04:00
Evan Prodromou
ea1a11a087 site-wide option to enable old-school settings 2011-09-24 09:46:13 -04:00
Evan Prodromou
ddc121c085 New table for all old-school UI prefs 2011-09-24 07:12:34 -04:00
Evan Prodromou
02a30cf47c start using stream mode prefs instead of separate parameter 2011-09-23 17:50:38 -04:00
Evan Prodromou
8fa816c324 don't use potentially bad Profile values 2011-09-22 16:29:31 -04:00
Evan Prodromou
a28a6d2f72 fixup bad class constant in Notice 2011-09-19 16:11:43 -04:00
Evan Prodromou
2c1911bfae Short-circuit bugs by defining Profile::getProfile() 2011-09-18 19:29:23 -04:00
Evan Prodromou
48625da04b Automatically add or drop fulltext indexes 2011-09-18 18:28:44 -04:00
Zach Copley
3bf3b6686c Remove fulltext indexes from notice and profile tables. The default
for fulltext search is 'like' (MySQLLikeSearch) which doesn't require
them.
2011-09-18 14:17:41 -07:00
Evan Prodromou
8f78743198 correct the URI-generation for group memberships 2011-09-12 13:36:12 -04:00
Evan Prodromou
a740556e3f is_int() -> \!is_null() 2011-09-08 13:05:17 -04:00
Evan Prodromou
5680eb74d0 default scope value is null, determined by site/private 2011-09-08 12:38:11 -04:00
Evan Prodromou
3056b109a2 Quietly skip trying to load config if there's an error in DB 2011-09-08 12:01:06 -04:00
Evan Prodromou
9948523c33 Merge branch 'master' into testing 2011-09-08 09:03:33 -04:00
Zach Copley
e59b30c14b Fix E_NOTICE from attempt to access undefined array key 2011-09-07 21:45:49 -07:00
Siebrand Mazeland
23eb49a017 Update translator documentation and i18n. 2011-08-30 11:43:27 +02:00