permission check fix, thanks to Robin Kroha

author garvinhicking <garvinhicking>

Mon, 12 Sep 2005 13:01:15 +0000 (13:01 +0000)

committer garvinhicking <garvinhicking>

Mon, 12 Sep 2005 13:01:15 +0000 (13:01 +0000)
author garvinhicking <garvinhicking>
Mon, 12 Sep 2005 13:01:15 +0000 (13:01 +0000)
committer garvinhicking <garvinhicking>
Mon, 12 Sep 2005 13:01:15 +0000 (13:01 +0000)
diff --git a/include/admin/category.inc.php b/include/admin/category.inc.php

index e49bf8236baa4ff3d36f6919fbc9729a6662cf75..6c1c92cb9962c9ea5c91f2dbe0fff562ca2523be 100644 (file)
--- a/include/admin/category.inc.php
+++ b/include/admin/category.inc.php
@@ -57,7 +57,7 @@ if (isset($_POST['SAVE'])) {
                                                      AND categoryid <> ". (int)$serendipity['GET']['cid'], true);
              if ( $sql ) {
                  echo '<div class="serendipityAdminMsgError">'. sprintf(CATEGORY_ALREADY_EXIST, htmlspecialchars($name)) .'</div>';
-            } else if (!serendipity_ACLCheck($serendipity['authorid'], $serendipity['GET']['cid'], 'category', 'write')) {
+            } else if (!serendipity_checkPermission('adminCategoriesMaintainOthers') && !serendipity_ACLCheck($serendipity['authorid'], $serendipity['GET']['cid'], 'category', 'write')) {
                  echo '<div class="serendipityAdminMsgError">'. PERM_DENIED .'</div>';
              } else {
                  /* Check to make sure parent is not a child of self */
diff --git a/include/functions_config.inc.php b/include/functions_config.inc.php

index 3b307c9525cbd38b6d6a58cd8df7dee2063dffab..a2313973690454abe5dbe11bc38f3fb5b13101cd 100644 (file)
--- a/include/functions_config.inc.php
+++ b/include/functions_config.inc.php
@@ -1009,6 +1009,8 @@ function serendipity_ACLCheck($authorid, $artifact_id, $artifact_type, $artifact
      global $serendipity;
      
      $artifact_sql = array();
+    
+    // TODO: If more artifact_types are available, the JOIN needs to be edited so that the first AND portion is not required, and the join is fully made on that conditiion. 
      switch($artifact_type) {
          default:
          case 'category':
@@ -1023,12 +1025,11 @@ function serendipity_ACLCheck($authorid, $artifact_id, $artifact_type, $artifact
     LEFT OUTER JOIN {$serendipity['dbPrefix']}authorgroups AS ag
                  ON ag.authorid = ". (int)$authorid . "
     LEFT OUTER JOIN {$serendipity['dbPrefix']}access AS a 
-                ON (ag.groupid = a.groupid OR a.groupid = 0)
+                ON (a.artifact_id = " . (int)$artifact_id . " AND (ag.groupid = a.groupid OR a.groupid = 0) )
  
               WHERE {$artifact_sql['cond']} 
                 AND ((
-                        a.artifact_id = " . (int)$artifact_id . "
-                    AND a.artifact_type = '" . serendipity_db_escape_string($artifact_type) . "'
+                        a.artifact_type = '" . serendipity_db_escape_string($artifact_type) . "'
                      AND a.artifact_mode = '" . serendipity_db_escape_string($artifact_mode) . "'
                     )
                      {$artifact_sql['where']}
author	garvinhicking <garvinhicking>
	Mon, 12 Sep 2005 13:01:15 +0000 (13:01 +0000)
committer	garvinhicking <garvinhicking>
	Mon, 12 Sep 2005 13:01:15 +0000 (13:01 +0000)
include/admin/category.inc.php		patch \| blob \| history
include/functions_config.inc.php		patch \| blob \| history