From 2b38eca986ee3673023a3622b0cb4f2b828c3d5e Mon Sep 17 00:00:00 2001
From: Mario <mario@mariovavti.com>
Date: Thu, 15 May 2025 18:56:30 +0000
Subject: [PATCH] refactor sql_extra > permission_sql

---
 Zotlabs/Module/Channel.php | 11 +++++++----
 Zotlabs/Module/Display.php | 12 ++++++------
 include/items.php          | 14 +++++++++-----
 3 files changed, 22 insertions(+), 15 deletions(-)

diff --git a/Zotlabs/Module/Channel.php b/Zotlabs/Module/Channel.php
index 2619911b3..9671cedf3 100644
--- a/Zotlabs/Module/Channel.php
+++ b/Zotlabs/Module/Channel.php
@@ -298,7 +298,8 @@ class Channel extends Controller {
 
 		$item_normal = item_normal();
 		$item_normal_update = item_normal_update();
-		$sql_extra = item_permissions_sql(App::$profile['profile_uid']);
+		$sql_extra = '';
+		$permission_sql = item_permissions_sql(App::$profile['profile_uid']);
 
 		$page_mode = 'client';
 
@@ -337,7 +338,7 @@ class Channel extends Controller {
 
 			if ($mid) {
 				$r = q("SELECT parent AS item_id from item where $identifier = '%s' and uid = %d $item_normal_update
-					AND item_wall = 1 $simple_update $sql_extra limit 1",
+					AND item_wall = 1 $simple_update $permission_sql $sql_extra limit 1",
 					dbesc($mid),
 					intval(App::$profile['profile_uid'])
 				);
@@ -348,6 +349,7 @@ class Channel extends Controller {
 					WHERE uid = %d $item_normal_update
 					AND item_wall = 1 $simple_update
 					AND (abook.abook_blocked = 0 or abook.abook_flags is null)
+					$permission_sql
 					$sql_extra
 					ORDER BY created DESC",
 					intval(App::$profile['profile_uid'])
@@ -385,7 +387,7 @@ class Channel extends Controller {
 			if ($noscript_content || $load) {
 				if ($mid) {
 					$r = q("SELECT parent AS item_id from item where $identifier = '%s' and uid = %d $item_normal
-						AND item_wall = 1 $sql_extra limit 1",
+						AND item_wall = 1 $permission_sql $sql_extra limit 1",
 						dbesc($mid),
 						intval(App::$profile['profile_uid'])
 					);
@@ -401,6 +403,7 @@ class Channel extends Controller {
 						AND (abook.abook_blocked = 0 or abook.abook_flags is null)
 						AND item.item_wall = 1
 						$item_normal
+						$permission_sql
 						$sql_extra
 						$sql_extra2
 						ORDER BY $ordering DESC, item_id
@@ -416,7 +419,7 @@ class Channel extends Controller {
 		if ($r) {
 			$parents_str = ids_to_querystr($r, 'item_id');
 
-			$r = items_by_parent_ids($parents_str, sql_extra: $sql_extra, blog_mode: $blog_mode);
+			$r = items_by_parent_ids($parents_str, permission_sql: $permission_sql, blog_mode: $blog_mode);
 
 			xchan_query($r);
 			$items = fetch_post_tags($r, true);
diff --git a/Zotlabs/Module/Display.php b/Zotlabs/Module/Display.php
index baa352e7f..4b5b69405 100644
--- a/Zotlabs/Module/Display.php
+++ b/Zotlabs/Module/Display.php
@@ -212,7 +212,7 @@ class Display extends Controller {
 		$observer_hash = get_observer_hash();
 		$item_normal = item_normal();
 		$item_normal_update = item_normal_update();
-		$sql_extra = '';
+		$permission_sql = '';
 		$r = [];
 
 		if($noscript_content || $load) {
@@ -231,7 +231,7 @@ class Display extends Controller {
 			}
 
 			if(!$r) {
-				$sql_extra = item_permissions_sql(0, $observer_hash);
+				$permission_sql = item_permissions_sql(0, $observer_hash);
 
 				$r = q("SELECT item.id AS item_id FROM item
 					WHERE ((mid = '%s'
@@ -239,7 +239,7 @@ class Display extends Controller {
 					AND item.deny_gid  = '' AND item_private = 0 )
 					AND uid IN ( " . stream_perms_api_uids(($observer_hash) ? (PERMS_NETWORK|PERMS_PUBLIC) : PERMS_PUBLIC) . " ))
 					OR uid = %d ))) OR
-					(mid = '%s' $sql_extra ))
+					(mid = '%s' $permission_sql ))
 					$item_normal
 					limit 1",
 					dbesc($target_item['parent_mid']),
@@ -269,7 +269,7 @@ class Display extends Controller {
 			}
 
 			if(!$r) {
-				$sql_extra = item_permissions_sql(0, $observer_hash);
+				$permission_sql = item_permissions_sql(0, $observer_hash);
 
 				$r = q("SELECT item.id as item_id from item
 					WHERE ((parent_mid = '%s'
@@ -277,7 +277,7 @@ class Display extends Controller {
 					AND item.deny_gid  = '' AND item_private = 0 )
 					and uid in ( " . stream_perms_api_uids(($observer_hash) ? (PERMS_NETWORK|PERMS_PUBLIC) : PERMS_PUBLIC) . " ))
 					OR uid = %d ))) OR
-					(parent_mid = '%s' $sql_extra ))
+					(parent_mid = '%s' $permission_sql ))
 					$item_normal
 					limit 1",
 					dbesc($target_item['parent_mid']),
@@ -291,7 +291,7 @@ class Display extends Controller {
 			$parents_str = ids_to_querystr($r,'item_id');
 			if($parents_str) {
 				$thr_parents_str = stringify_array(get_recursive_thr_parents($target_item), true);
-				$items = items_by_parent_ids($parents_str, $thr_parents_str, $sql_extra);
+				$items = items_by_parent_ids($parents_str, $thr_parents_str, $permission_sql);
 
 				xchan_query($items);
 				$items = fetch_post_tags($items,true);
diff --git a/include/items.php b/include/items.php
index 55381af6d..06ee34476 100644
--- a/include/items.php
+++ b/include/items.php
@@ -5438,15 +5438,16 @@ function item_by_item_id(int $id): array
 
 /**
  * @brief returns an array of items by ids
- * ATTENTION: no permissions are checked here!!!
+ * ATTENTION: no permissions for the pa are checked here!!!
  * Permissions MUST be checked by the function which returns the ids.
  * @param string $ids - a string with ids separated by comma
  * @param string $thr_parents (optional) - a string with thr_parent mids separated by comma
  * which will be included
+ * @param string $permission_sql (optional) - SQL provided by item_permission_sql() by the calling module
  * @param bool $blog_mode (optional) - if set to yes only the parent items will be returned
  */
 
-function items_by_parent_ids(string $ids, string $thr_parents = '', string $sql_extra = '', bool $blog_mode = false): array
+function items_by_parent_ids(string $ids, string $thr_parents = '', string $permission_sql = '', bool $blog_mode = false): array
 {
 	$item_normal = item_normal();
 	$item_normal_c = item_normal(prefix: 'c');
@@ -5469,7 +5470,10 @@ function items_by_parent_ids(string $ids, string $thr_parents = '', string $sql_
 		$thr_parent_uuid_sql_join = "LEFT JOIN item tp ON item.thr_parent = tp.mid AND item.uid = tp.uid";
 	}
 
-	$sql_extra_c = str_replace('item.', 'c.', $sql_extra);
+	$permission_sql_c = '';
+	if ($permission_sql) {
+		$permission_sql_c = str_replace('item.', 'c.', $permission_sql);
+	}
 
 	$ret = q(
 		"SELECT item.*,
@@ -5481,7 +5485,7 @@ function items_by_parent_ids(string $ids, string $thr_parents = '', string $sql_
 			AND c.item_thread_top = 0
 			AND c.thr_parent = item.mid
 			$item_normal_c
-			$sql_extra_c
+			$permission_sql_c
 		$thr_parent_uuid_sql_join
 		WHERE $blog_mode_sql in (%s)
 			AND (
@@ -5490,7 +5494,7 @@ function items_by_parent_ids(string $ids, string $thr_parents = '', string $sql_
 			)
 			$thr_parent_sql
 			$item_normal
-			$sql_extra
+			$permission_sql
 		GROUP BY item.id",
 		dbesc($ids)
 	);