Commit Graph

187 Commits

Author SHA1 Message Date
Mikael Nordfeldth
f24cdf4a80 Much more logging in PushHubAction (OStatus) 2016-01-11 19:54:05 +01:00
Mikael Nordfeldth
ab93bb009c XSS vulnerability when remote-subscribing
->raw was used on non-filtered strings for some reasons, changed
to ->text.
2016-01-05 12:15:50 +01:00
Mikael Nordfeldth
b76461fc78 syntax error 2015-12-27 01:42:03 +01:00
Mikael Nordfeldth
0ac71c2b7b Duplicate URI means we have it already, I assume 2015-12-27 01:40:00 +01:00
mmn
0baa9debbc Merge branch 'direct-feed-sub' into 'master'
If we are given a direct URL to a feed, use that



See merge request !54
2015-12-14 21:09:56 +00:00
Mikael Nordfeldth
844670f88d Ooops, copypasted something into the wrong place. 2015-11-08 23:24:20 +01:00
Mikael Nordfeldth
65184782aa OStatus usage of static Validate::* calls fixed 2015-11-08 10:33:41 +01:00
Stephen Paul Weber
e58c529c53 If we are given a direct URL to a feed, use that 2015-10-28 00:54:20 +00:00
Mikael Nordfeldth
8fac7a9f6c StatusNet class renamed GNUsocial
also added backward compatible StatusNet class for the two calls I know
third party plugins use, isHTTPS and getActivePlugins
2015-02-27 12:44:15 +01:00
Mikael Nordfeldth
1bda6fb9be General code quality improvement for easier understanding
Also made sure we only match local group IDs in recognizedFeed for PushhubAction
2015-02-08 11:47:15 +01:00
Mikael Nordfeldth
482f61ac15 OStatusSub should use inherent attributes
No need to make several common_current_user calls and then getProfile
directly after that, since we have stuff like $this->scoped.
2015-01-27 13:23:49 +01:00
Mikael Nordfeldth
57d8eb8a53 Ensuring unknown profiles in salmon slaps work again 2015-01-13 13:43:35 +01:00
Mikael Nordfeldth
73669ed308 ensureProfile already done and stored in $this->oprofile 2015-01-12 02:01:26 +01:00
Mikael Nordfeldth
c44146d6f8 Favorites are now being stored from activities 2014-07-02 18:38:19 +02:00
Mikael Nordfeldth
d0da552722 SalmonAction and extensions simplified 2014-06-28 20:33:09 +02:00
Mikael Nordfeldth
d534ea7bd6 Try the whole Salmon action for AlreadyFulfilledException
If we have already fulfilled the action, we don't have to send an error back.
2014-06-02 13:57:30 +02:00
Mikael Nordfeldth
0dad11bb85 Inform and make use of NoProfileException in OStatus actions
This is because Ostatus_profile->localProfile() throws NoProfileException
instead of returning null for profiles which don't exist in Profile table.
2014-05-19 18:07:57 +02:00
Mikael Nordfeldth
63c20e59aa UsersalmonAction cleanup 2014-05-19 18:07:14 +02:00
Mikael Nordfeldth
7977361193 Too many bird wings ({), sorry Erkan :) 2014-05-07 09:52:50 +02:00
Mikael Nordfeldth
b59beb50e6 misplaced dollar sign, also URLs != attention URIs 2014-05-07 09:20:57 +02:00
Mikael Nordfeldth
8b12e41351 User object didn't have getNickname() function
We're just jumping on to the Profile->getNickname() function.
2014-05-06 16:08:36 +02:00
Mikael Nordfeldth
fc3125cf28 More modern coding, stuff related to subscriptions
Also trying to use the newly implemented AlreadyFulfilledException
2014-05-05 23:58:05 +02:00
Mikael Nordfeldth
805958cc23 UsersalmonAction updated to stronger typing standards 2014-05-05 19:38:01 +02:00
Mikael Nordfeldth
595d231d9a GroupsalmonAction updated to stronger typing standards 2014-05-05 19:25:39 +02:00
Mikael Nordfeldth
bbada781b7 Stronger typing and function access control in OStatus 2014-05-05 19:06:22 +02:00
Joshua Judson Rosen
7440dc2145 Prevent spurious refusals of legitimate notices posted to users via Salmon.
Make the logic match the intent described in the comments.

The intent is clearly "accept notices whenever (A or B or C)", but
the logic implemented was more like "not ((not A) or (not B) or (not C))",
which is a basical boolean algebra fail (each of those ORs need to
become ANDs for double-negation to work).

The practical implication was that, for example, writing a reply
to someone else's notice and including an @-reference to _another_
user on another site to bring them into the discussion would
fail to deliver the notice to the new user because their server
would basically say `oh no, you can't message this user
from someone else's thread' because an earlier check for
the `A' or `C' parts of `(A or B or C)' prevents `B' from
being checked.

cf.: <http://status.hackerposse.com/notice/55846>, which was
refused by the nhcrossing.com server because it didn't know
about <http://sn.jonkman.ca/notice/93724>, even though it would
have passed the later `notice contains a reference to a local user'
check if not for an exception being prematurely thrown.

The whole idea of reporting `which specific check FAILED'
in an `if ANY SUCCEEDS' analysis is just bogus, so nix all of
the distinct ClientExceptions--a single `ALL FAILED' exception
is the only one that makes sense.
2014-05-05 13:35:38 +02:00
Mikael Nordfeldth
5fd6053220 Code cleanup and enabling User object's etc. getUri() 2014-04-28 14:08:42 +02:00
Mikael Nordfeldth
c00491cd7a Cosmetic changes to common_redirect, clientError, serverError
Since these functions exit (or throw exception) after running, there
is no need to have a 'return' statement or similar afterwards.
2014-03-10 00:25:57 +01:00
Mikael Nordfeldth
e571e64e9e Make ostatussub conform to coding standards a bit 2014-03-05 13:44:45 +01:00
Mikael Nordfeldth
dc0ae2785d SubMirror now works again against old PuSH
There was a problem with (specifically at least) PuSHpress for
Wordpress. A previous attempt to perform a DB transaction backfired
because the remote side could connect to the callback before our
commit had gone through.

I take full responsibility for introducing the bug in the first place :)
2014-03-03 00:01:13 +01:00
Mikael Nordfeldth
fc047bd6e6 Minor code cleanup with group related actions (thanks brw12)
Originated from brw12 who noticed an incorrect variable name used in
an error message in actions/apigroupjoin.php:109
2014-03-01 12:01:17 +01:00
Mikael Nordfeldth
ab4113168f PuSH 0.4: No outgoing 'sync' verifications. Feed renewal script. No auto-renewal.
Among other things (such as permanent subscriptions), Pubsubhubbub 0.4
removed the "sync" verification method. This means that any incoming
PuSH subscription requests that follow the 0.4 spec won't really
_require_that we handle it as a background process, but if we were to
try direct verification of the subscription - and fail - there's no way
we could  pick up the ball again. So _essentially_ we require background
processing with retries.

This means we must implement something like the "poorman cron" or
similar, so background processing can be handled
on-demand/on-site-visit. This is how Friendica, Drupal etc. handles it
and is necessary for environments where we can't run separate queue
daemons.

When the poorman-cron-ish thing is implemented, auto-renewal will work
for all users.

PuSH 0.4 spec:
    https://pubsubhubbub.googlecode.com/git/pubsubhubbub-core-0.4.html
More on PuSH 0.4 release (incl. breaking changes):
    https://groups.google.com/forum/#!msg/pubsubhubbub/7RPlYMds4RI/2mIHQTdV3aoJ
2013-11-02 20:02:28 +01:00
Mikael Nordfeldth
be62f44ef4 OStatus remote address example now more generic 2013-10-30 15:04:54 +01:00
Mikael Nordfeldth
f8b49e69d0 Protected function prepare with array $args defaulting to array() 2013-10-29 10:26:46 +01:00
Mikael Nordfeldth
23a6b4595f Reworked the ActivityContext->attention structure
Removing Evan's obscure attentionType solution and directly using the attention array
2013-10-28 22:21:14 +01:00
Mikael Nordfeldth
2729c622ff Minor function definitions so they match Action parent 2013-10-20 17:21:56 +02:00
Mikael Nordfeldth
cd6fa512ac Twitter Import + avatar fixes (cleaning up + fixing)
...there was also a typo in OstatussubAction ($avatarUrl not defined)
2013-10-03 15:28:51 +02:00
Mikael Nordfeldth
b0dfc70a54 Properly unlink all old avatars when deleting/uploading a new
We're also now using $config['image']['jpegquality'] to determine the
quality setting for resized images.

To set Avatar max size, adjust $config['avatar']['maxsize']

The getAvatar call now throws exceptions too. Related changes applied.
Now let's move Profile->avatarUrl to the Avatar class!
2013-10-01 17:00:10 +02:00
Mikael Nordfeldth
a7e748479c Fixed regression in OStatus sub from WebFinger/XML_XRD update
XML_XRD::getAll requires arguments (at least relation). If one really
want all links, just get the 'links' array. It's public!

Also, not all XML_XRD_Element_Link were migrated from the previous
array style.
2013-09-30 23:33:28 +02:00
Mikael Nordfeldth
a0e107f17f Implemented WebFinger and replaced our XRD with PEAR XML_XRD
New plugins:
* LRDD
    LRDD implements client-side RFC6415 and RFC7033 resource descriptor
    discovery procedures. I.e. LRDD, host-meta and WebFinger stuff.

    OStatus and OpenID now depend on the LRDD plugin (XML_XRD).

* WebFinger
    This plugin implements the server-side of RFC6415 and RFC7033. Note:
    WebFinger technically doesn't handle XRD, but we serve both that and
    JRD (JSON Resource Descriptor), depending on Accept header and one
    ugly hack to check for old StatusNet installations.

    WebFinger depends on LRDD.

We might make this even prettier by using Net_WebFinger, but it is not
currently RFC7033 compliant (no /.well-known/webfinger resource GETs).

Disabling the WebFinger plugin would effectively render your site non-
federated (which might be desired on a private site).

Disabling the LRDD plugin would make your site unable to do modern web
URI lookups (making life just a little bit harder).
2013-09-30 22:04:52 +02:00
Mikael Nordfeldth
1c6f9df80e PHP5.5 fix: Better use of startXML for Action classes (mostly AJAX)
I had a problem with PHP5.5 that caused ajax responses to be empty. This
fixes it, as the problem was related to pretty inconsistent calling to
headers, XMLWriter::startDocument etc. etc.
2013-09-24 01:18:33 +02:00
Mikael Nordfeldth
747fe9d59b Tidying up getUser calls to profiles and some events
getUser calls are much more strict, and one place where this was found was
in the (un)subscribe start/end event handlers, which resulted in making the
Subscription class a bit stricter, regarding ::start and ::cancel at least.
Several minor fixes in many files were made due to this.

This does NOT touch the Foreign_link function, which should also have a more
strict getUser call. That is a future project.
2013-09-09 23:03:34 +02:00
Mikael Nordfeldth
de55d8f83b plugins onAutoload now only overloads if necessary (extlibs etc.)
lib/plugin.php now has a parent onAutoload function that finds most common
files that are used in plugins (actions, dataobjects, forms, libs etc.) if
they are put in the standardised directories ('actions', 'classes', 'forms',
'lib' and perhaps some others in the future).
2013-08-28 16:10:30 +02:00
Mikael Nordfeldth
0bbcfa7bdf IMPORTANT - fixed HubSub to properly fetch primary keys
In commit e95f77d34c HubSub lost the
'staticGet' function in a consolidation into the Managed_DataObject class.
This was done carelessly by me as HubSub::staticGet was actually taking
two arguments, none of which was a key and merging them in HubSub::hashkey()
(staticGet was renamed getKV 2a4dc77a63).

NOTE: This complements commit 7e4718a4eb which
fixed a similar issue for the Magicsig class.
2013-08-21 11:25:08 +02:00
Mikael Nordfeldth
e40044e2fa Further static declarations of functions
Validate could probably be replaced with filter_var if desired (PHP>=5.2.0)
2013-08-19 14:26:44 +02:00
Mikael Nordfeldth
2a4dc77a63 The overloaded DB_DataObject function staticGet is now called getKV
I used this hacky sed-command (run it from your GNU Social root, or change the first grep's path to where it actually lies) to do a rough fix on all ::staticGet calls and rename them to ::getKV

   sed -i -s -e '/DataObject::staticGet/I!s/::staticGet/::getKV/Ig' $(grep -R ::staticGet `pwd`/* | grep -v -e '^extlib' | grep -v DataObject:: |grep -v "function staticGet"|cut -d: -f1 |sort |uniq)

If you're applying this, remember to change the Managed_DataObject and Memcached_DataObject function definitions of staticGet to getKV!

This might of course take some getting used to, or modification fo StatusNet plugins, but the result is that all the static calls (to staticGet) are now properly made without breaking PHP Strict Standards. Standards are there to be followed (and they caused some very bad confusion when used with get_called_class)

Reasonably any plugin or code that tests for the definition of 'GNUSOCIAL' or similar will take this change into consideration.
2013-08-18 13:13:56 +02:00
Mikael Nordfeldth
f79aec36fe Merge remote-tracking branch 'statusnet/master'
This merges GNU Social with current development of StatusNet. The only conflicts were some documentation, where GNU Social's versions were retained.

Conflicts:
	doc-src/about
	doc-src/faq
	plugins/OpenID/doc-src/openid
2013-08-12 12:23:17 +02:00
Evan Prodromou
330041e8bf Merge branch 'master' of gitorious.org:statusnet/mainline 2012-07-28 13:59:40 -04:00
Mikael Nordfeldth
19c3cd541d Issue 3401, ostatus group subscription lands on blank page 2012-07-28 13:58:26 -04:00
Evan Prodromou
d5564fb8d8 Add a trace, too 2012-07-04 15:14:35 -04:00