From 482a8369d0a18a6191d5792701909a29bc6ca69c Mon Sep 17 00:00:00 2001
From: Per Cederqvist <ceder@lysator.liu.se>
Date: Sun, 3 Sep 2000 19:45:26 +0000
Subject: [PATCH] (send_async_sub_recipient): Use filter_secret_info() so that
 the exact 	same visibility is used by async-sub-recipient and
 get-text-stat. (filter_secret_info): Don't allow the author of a text to see 
 bcc-recpt which are secret to him.  Simplify the code slightly.
 (send_async_add_recipient): Use filter_secret_info() so that the 	exact
 same visibility is used by async-add-recipient and 	get-text-stat.

---
 src/server/text.c | 129 +++++++++++++++++-----------------------------
 1 file changed, 47 insertions(+), 82 deletions(-)

diff --git a/src/server/text.c b/src/server/text.c
index 6ce5f44e0..40e49326d 100644
--- a/src/server/text.c
+++ b/src/server/text.c
@@ -1,5 +1,5 @@
 /*
- * $Id: text.c,v 0.78 2000/09/02 20:06:15 ceder Exp $
+ * $Id: text.c,v 0.79 2000/09/03 19:45:26 ceder Exp $
  * Copyright (C) 1991-1999  Lysator Academic Computer Association.
  *
  * This file is part of the LysKOM server.
@@ -34,7 +34,7 @@
 #endif
 
 static const char *
-rcsid = "$Id: text.c,v 0.78 2000/09/02 20:06:15 ceder Exp $";
+rcsid = "$Id: text.c,v 0.79 2000/09/03 19:45:26 ceder Exp $";
 #include "rcs.h"
 USE(rcsid);
 
@@ -83,6 +83,11 @@ do_create_text(const String   message,
                Bool           anonymous,
                Text_stat    **ret_stat);
 
+static void
+filter_secret_info(Text_stat *result,
+		   const Text_stat *original,
+                   const Connection *viewer_conn,
+                   Bool output_bcc);
 
 /*
  * Static functions
@@ -592,43 +597,23 @@ send_async_sub_recipient(Text_no          text_no,
 {
     Connection *cptr;
     Session_no i = 0;
-    Membership *mship;
 
-    if (type != bcc_recpt)
-    {
-        while ((i = traverse_connections(i)) != 0)
-        {
-            cptr = get_conn_by_number(i);
-            /*
-             * Send messate if connection is logged on, the user is a member
-             * in a recipient and the subtracted recipient is visible to the
-             * user
-             */
-            if (cptr->person != NULL
-                && is_member_in_recpt(cptr->person, text_s, TRUE) == TRUE
-                && access_perm(conf_no, cptr, read_protected) > none)
-            {
-                async_sub_recipient(cptr, text_no, conf_no, type);
-            }
-        }
-    }
-    else
+    while ((i = traverse_connections(i)) != 0)
     {
-        while ((i = traverse_connections(i)) != 0)
-        {
-            cptr = get_conn_by_number(i);
-            if (cptr->person != NULL)
+	cptr = get_conn_by_number(i);
+	if (cptr->person != NULL
+	    && is_member_in_recpt(cptr->person, text_s, TRUE) == TRUE)
+	{
+	    Text_stat copy;
+
+	    filter_secret_info(&copy, text_s, cptr, TRUE);
+	    if (find_recipient(conf_no, &copy) != -1
+		&& is_member_in_recpt(cptr->person, &copy, TRUE) == TRUE)
 	    {
-                mship = locate_membership(conf_no, cptr->person);
-                if (mship != NULL
-		    && !mship->type.passive
-		    && access_perm(conf_no, cptr, read_protected) > none)
-                {
-                    async_sub_recipient(cptr, text_no, conf_no, type);
-                }
-            }
-        }
-    }        
+		async_sub_recipient(cptr, text_no, conf_no, type);
+	    }
+	}
+    }
 }
 
 /*
@@ -1256,11 +1241,12 @@ filter_secret_info(Text_stat *result,
 
         case bcc_recpt:
             /*
-             * We will send this if ...
-             * The viewer is the recipient or
-             * The recipient is an open conference
-             * The viewer sent the BCC
-             * The viewer is the author
+             * We will send this if any of the following is true:
+             * - The viewer is the recipient.
+             * - The recipient is an open conference.
+             * - The viewer sent the BCC.
+             * - The viewer is supervisor of the author, and allowed
+	     *   to know that the recipient exists.
              */
 
             if (viewer_p != NULL
@@ -1271,21 +1257,15 @@ filter_secret_info(Text_stat *result,
 		    || recp_sent_by(
 			orig, original->misc_items + original->no_of_misc,
 			viewer, viewer_p)
-		    || is_supervisor(original->author, viewer, viewer_p)))
+		    || (is_supervisor(original->author, viewer, viewer_p)
+			&& (access_perm(orig->datum.bcc_recipient,
+					viewer_conn, read_protected)
+			    >= read_protected))))
             {
+		*copy++ = *orig++;
+		++result->no_of_misc;
                 if (!output_bcc)
-                {
-                    *copy = *orig;
-                    copy->type = cc_recpt;
-                    copy++;
-                    orig++;
-                    ++result->no_of_misc;
-                }
-                else
-                {
-                    *copy++ = *orig++;
-                    ++result->no_of_misc;
-                }
+                    copy[-1].type = cc_recpt;
             }
             else
             {
@@ -2819,38 +2799,23 @@ send_async_add_recipient(Text_no text_no,
 			 Info_type type)
 {
     Connection *cptr;
-    Membership *mship;
     Session_no i = 0;
 
-    if (type != bcc_recpt)
-    {
-        while ((i = traverse_connections(i)) != 0)
-        {
-            cptr = get_conn_by_number(i);
-            if (cptr->person != NULL
-                && is_member_in_recpt(cptr->person, text_s, TRUE) == TRUE
-                && access_perm(conf_no, cptr, read_protected) > none)
-            {
-                async_new_recipient(cptr, text_no, conf_no, type);
-            }
-        }
-    }
-    else
+    while ((i = traverse_connections(i)) != 0)
     {
-        while ((i = traverse_connections(i)) != 0)
-        {
-            cptr = get_conn_by_number(i);
-            if (cptr->person != NULL)
+	cptr = get_conn_by_number(i);
+	if (cptr->person != NULL
+	    && is_member_in_recpt(cptr->person, text_s, TRUE) == TRUE)
+	{
+	    Text_stat copy;
+
+	    filter_secret_info(&copy, text_s, cptr, TRUE);
+	    if (find_recipient(conf_no, &copy) != -1
+		&& is_member_in_recpt(cptr->person, &copy, TRUE) == TRUE)
 	    {
-                mship = locate_membership(conf_no, cptr->person);
-                if (mship != NULL
-		    && !mship->type.passive
-		    && access_perm(conf_no, cptr, read_protected) > none)
-                {
-                    async_new_recipient(cptr, text_no, conf_no, type);
-                }
-            }
-        }
+		async_new_recipient(cptr, text_no, conf_no, type);
+	    }
+	}
     }
 }
 
-- 
GitLab