Example #1
0
 /**
  * Builds the custom Profile Field Data
  *
  * @param	boolean	Should we show hidden fields if we're allowed to view them?
  */
 function build_field_data($showhidden)
 {
     if ($this->data_built) {
         return;
     }
     $this->categories = array(0 => array());
     $this->locations = array();
     if (!isset($this->factory->privacy_requirements)) {
         $this->fetch_privacy_requirements();
     }
     $profilefields_result = $this->registry->db->query_read_slave("\n\t\t\tSELECT pf.profilefieldcategoryid, pfc.location, pf.*\n\t\t\tFROM " . TABLE_PREFIX . "profilefield AS pf\n\t\t\tLEFT JOIN " . TABLE_PREFIX . "profilefieldcategory AS pfc ON(pfc.profilefieldcategoryid = pf.profilefieldcategoryid)\n\t\t\tWHERE pf.form = 0 " . iif($showhidden or !($this->registry->userinfo['permissions']['genericpermissions'] & $this->registry->bf_ugp_genericpermissions['canseehiddencustomfields']), "\n\t\t\t\t\tAND pf.hidden = 0") . "\n\t\t\tORDER BY pfc.displayorder, pf.displayorder\n\t\t");
     while ($profilefield = $this->registry->db->fetch_array($profilefields_result)) {
         $requirement = isset($this->factory->privacy_requirements["profile_cat{$profilefield['profilefieldcategoryid']}"]) ? $this->factory->privacy_requirements["profile_cat{$profilefield['profilefieldcategoryid']}"] : $this->default_privacy_requirement;
         if (fetch_user_relationship($this->profile->userinfo['userid'], $this->registry->userinfo['userid']) >= $requirement) {
             $this->categories["{$profilefield['profilefieldcategoryid']}"][] = $profilefield;
             $this->locations["{$profilefield['profilefieldcategoryid']}"] = $profilefield['location'];
         }
     }
     $this->data_built = true;
 }
/**
* Determines if the browsing user can view a specific section of a user's profile.
*
* @param	integer	User ID to check against
* @param	string	Name of the section to check
* @param	string	Optional override for privacy requirement (prevents query)
* @param	array	Optional array of userinfo (to save on querying)
*
* @return	boolean
*/
function can_view_profile_section($userid, $section, $privacy_requirement = null, $userinfo = null)
{
    global $vbulletin;
    if (!$vbulletin->options['profileprivacy']) {
        // not enabled - always viewable
        return true;
    }
    if (!is_array($userinfo)) {
        if ($userid == $vbulletin->userinfo['userid']) {
            return true;
        }
        $userinfo = fetch_userinfo($userid);
        if (!$userinfo) {
            return true;
        }
    } else {
        if ($userinfo['userid'] == $vbulletin->userinfo['userid']) {
            return true;
        }
    }
    if (!isset($userinfo['permissions'])) {
        cache_permissions($userinfo, false);
    }
    if (!($userinfo['permissions']['usercsspermissions'] & $vbulletin->bf_ugp_usercsspermissions['caneditprivacy'])) {
        // user doesn't have permission - always viewable
        return true;
    }
    if ($privacy_requirement === null) {
        $privacy_requirement = $vbulletin->db->query_first_slave("\n\t\t\tSELECT requirement\n\t\t\tFROM " . TABLE_PREFIX . "profileblockprivacy\n\t\t\tWHERE userid = " . intval($userinfo['userid']) . "\n\t\t\t\tAND blockid = '" . $vbulletin->db->escape_string($section) . "'\n\t\t");
        $privacy_requirement = $privacy_requirement['requirement'] ? $privacy_requirement['requirement'] : 0;
    }
    return !$privacy_requirement or fetch_user_relationship($userinfo['userid'], $vbulletin->userinfo['userid']) >= $privacy_requirement;
}
Example #3
0
 /**
  * Builds conditions for the message query based on the user's permissions.
  * @see fetch()
  *
  * @access protected
  *
  * @return string							The built SQL
  */
 function state_sql()
 {
     if (isset($this->state_sql)) {
         return $this->state_sql;
     }
     // Build state conditions for query
     $state = array('public');
     if ($this->parent_id) {
         if (can_view_private_albums($this->parent_id)) {
             $state[] = 'private';
         }
         if (can_view_profile_albums($this->parent_id)) {
             $state[] = 'profile';
         }
     }
     $this->state_sql = "AND (album.state IN ('" . implode("','", $state) . "')";
     if ($this->show_moderated and can_moderate(0, 'canmoderatepictures')) {
         $this->state_sql .= 'AND (album.visible > 0 OR album.moderation > 0)';
     } else {
         $this->state_sql .= 'AND album.visible > 0';
     }
     $this->state_sql .= ')';
     require_once DIR . '/includes/functions_user.php';
     $privacy_requirement = fetch_user_relationship($this->parent_id, $this->registry->userinfo['userid']);
     $this->state_sql .= " AND (profileblockprivacy.requirement <= " . intval($privacy_requirement) . " OR profileblockprivacy.requirement IS NULL)";
     return $this->state_sql;
 }
Example #4
0
	/**
	* Verify permissions of a single attachment
	*
	* @return	bool
	*/
	public function verify_attachment()
	{
		if (!($this->registry->options['socnet'] & $this->registry->bf_misc_socnet['enable_albums']))
		{
			return false;
		}

		$hook_query_fields = $hook_query_joins = $hook_query_where = '';
		($hook = vBulletinHook::fetch_hook('attachment_start')) ? eval($hook) : false;

		$selectsql = array(
			"album.state AS albumstate, album.albumid, album.userid AS albumuserid",
			"pbp.requirement AS privacy_requirement",
		);

		$joinsql = array(
			"LEFT JOIN " . TABLE_PREFIX . "album AS album ON (album.albumid = a.contentid)",
			"LEFT JOIN " . TABLE_PREFIX . "profileblockprivacy AS pbp ON (pbp.userid = a.userid AND pbp.blockid = 'albums')",
		);

		if (!$this->verify_attachment_specific('vBForum_Album', $selectsql, $joinsql))
		{
			return false;
		}

/*	TODO
		$this->browsinginfo = array(
			'bloginfo' => array(
				'blogid' => $this->attachmentinfo['blogid'],
			),
			'userinfo' => array(
				'userid' => $this->attachmentinfo['userid'],
			),
		);
*/
		require_once(DIR . '/includes/functions_user.php');
		if ($this->attachmentinfo['contentid'] == 0)
		{
			// there may be a condition where certain moderators could benefit by seeing these, I just don't know of any conditions at present
			if ($this->registry->userinfo['userid'] != $this->attachmentinfo['userid'])
			{
				return false;
			}
		}
		else if (
			!$this->attachmentinfo['albumid']
				OR
			$this->attachmentinfo['albumuserid'] != $this->attachmentinfo['userid']
				OR
			(
				$this->attachmentinfo['state'] == 'moderation'
					AND
				$this->attachmentinfo['userid'] != $this->registry->userinfo['userid']
					AND
				!can_moderate(0, 'canmoderatepictures')
					AND
				!can_moderate(0, 'caneditalbumpicture')
			)
				OR
			(
				$this->attachmentinfo['privacy_requirement']
					AND
				fetch_user_relationship($this->attachmentinfo['userid'], $this->registry->userinfo['userid']) < $this->attachmentinfo['privacy_requirement']
			)
				OR
			(
				$this->attachmentinfo['albumstate'] != 'profile'
					AND
				!($this->registry->userinfo['permissions']['albumpermissions'] & $this->registry->bf_ugp_albumpermissions['canviewalbum'])
			)
				OR
			(
				$this->attachmentinfo['albumstate'] == 'private'
					AND
				!can_view_private_albums($this->attachmentinfo['userid'])
			)
		)
		{
			// echo clear.gif, not permissions error. This may only be needed for 'albumstate' == 'profile'
			return 0;
		}

		return true;
	}
Example #5
0
}
($hook = vBulletinHook::fetch_hook('picture_imageinfo')) ? eval($hook) : false;
$have_image = $imageinfo ? true : false;
if ($have_image and $imageinfo['state'] == 'moderation' and !can_moderate(0, 'canmoderatepictures') and $imageinfo['userid'] != $vbulletin->userinfo['userid'] and !can_moderate(0, 'caneditalbumpicture')) {
    $have_image = false;
}
if ($have_image) {
    if ($vbulletin->options['album_dataloc'] == 'db') {
        $have_image = strlen($imageinfo['filedata']) > 0;
    } else {
        $have_image = file_exists(fetch_picture_fs_path($imageinfo, $vbulletin->GPC['thumb']));
    }
}
if ($have_image) {
    if ($vbulletin->GPC['albumid'] and $imageinfo['privacy_requirement']) {
        if (fetch_user_relationship($imageinfo['userid'], $vbulletin->userinfo['userid']) < $imageinfo['privacy_requirement']) {
            $have_image = false;
        }
    }
    if ($imageinfo['albumstate'] != 'profile' and !($vbulletin->userinfo['permissions']['albumpermissions'] & $vbulletin->bf_ugp_albumpermissions['canviewalbum'])) {
        // user's w/o viewing permission can only view profile category pictures directly
        $have_image = false;
    }
    if ($imageinfo['albumstate'] == 'private') {
        if (!can_view_private_albums($imageinfo['userid'])) {
            // private album we can't see
            $have_image = false;
        }
    }
}
($hook = vBulletinHook::fetch_hook('picture_haveimage')) ? eval($hook) : false;
Example #6
0
 /**
  * vBForum_Search_Result_VisitorMessage::can_search()
  *
  * @param mixed $user: the id of the user requesting access
  * @return bool true
  */
 public function can_search($user)
 {
     global $vbulletin;
     require_once DIR . '/includes/functions_visitormessage.php';
     require_once DIR . '/includes/functions_user.php';
     //if visitor messages are turned off don't display anything.
     if (!($vbulletin->options['socnet'] & $vbulletin->bf_misc_socnet['enable_visitor_messaging'])) {
         return false;
     }
     //if the user can't view member profiles at all, they can't see visitor messages.
     if (!$user->hasPermission('genericpermissions', 'canviewmembers')) {
         return false;
     }
     //do we have permissions to view this visitor message based on our permissions.
     if (!fetch_visitor_message_perm('canviewvisitormessages', $this->message, $this->message)) {
         //We have a function fetch_visitor_message_perm in functions_visitormessage
         // that tells whether we can see this message. It needs
         // $perm, &$userinfo, $message. $perm is 'canviewvisitormessages',
         // $userinfo is $vbulletin->userinfo, and $message is an array which,
         // as far as I can see, must have state and postuserid. The comment
         // says it's the result of a call to fetch_messageinfo(), but we don't have
         // any such function.
         //So.. if we just pass $message twice, we have all the necessary parameters.
         return false;
     }
     //If this is a message on the current user's profile or the current user is a mod we can skip some checks.
     if (!($this->message['userid'] == $user->getField('userid') or can_moderate(0, 'canmoderatevisitormessages'))) {
         //if the user has disabled their visitor messages then don't show them.
         //this is under the main user options rather than the profile privacy
         if (!($this->message['useroptions'] & $vbulletin->bf_misc_useroptions['vm_enable'])) {
             return false;
         }
     }
     //do we have permissions to view this user's visitor messages based on privacy settings.
     //do this last because it's the most likely to result in an extra query.
     $relationship_level = fetch_user_relationship($this->message['userid'], $user->getField('userid'));
     if ($relationship_level < $this->message['requirement']) {
         return false;
     }
     //for some reason, in addition to the permission settings under "profile privacy" there is an option to
     //limit visitor messages to "contacts only" in the main user option settings.  The level for "contact" is
     //2 -- anything higher than that should be considered a contact.
     if ($this->message['useroptions'] & $vbulletin->bf_misc_useroptions['vm_contactonly'] and $relationship_level < 2) {
         return false;
     }
     return true;
 }