From: garvinhicking Date: Mon, 5 Dec 2005 09:03:15 +0000 (+0000) Subject: fix bug #1371893: Wrong category read permissions X-Git-Tag: 0.9.1~17 X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=dd49066a95a26a06ebd7402339e451bbc3869b27;p=s9y.git fix bug #1371893: Wrong category read permissions --- diff --git a/docs/NEWS b/docs/NEWS index de64457..004e0aa 100644 --- a/docs/NEWS +++ b/docs/NEWS @@ -3,6 +3,10 @@ Version 0.9.2 () ------------------------------------------------------------------------ + * Fix bug #1371893: Category write permissions are not properly + evaluated when writing into a category that a user has no + access to. Thanks to cydvicious! (garvinhicking) + * Fix bug #1371630: Write permissions to category are stored with input data of the 'Read permissions' author listing. diff --git a/include/functions_entries.inc.php b/include/functions_entries.inc.php index 1233fdc..5644446 100644 --- a/include/functions_entries.inc.php +++ b/include/functions_entries.inc.php @@ -430,15 +430,17 @@ function serendipity_fetchCategories($authorid = null, $name = null, $order = nu $where = ''; if ($authorid != 'all' && is_numeric($authorid)) { + $sql_authorid = $authorid; if (!serendipity_checkPermission('adminCategoriesMaintainOthers', $authorid)) { $where = " WHERE (c.authorid = $authorid OR c.authorid = 0)"; $where .= "OR ( acl.artifact_type = 'category' AND acl.artifact_mode = '" . serendipity_db_escape_string($artifact_mode) . "' - )"; + ) "; } } else { + $sql_authorid = 'c.authorid'; $where = ''; } @@ -473,7 +475,7 @@ function serendipity_fetchCategories($authorid = null, $name = null, $order = nu a.realname FROM {$serendipity['dbPrefix']}category AS c LEFT OUTER JOIN {$serendipity['dbPrefix']}authors AS a - ON c.authorid = a.authorid + ON c.authorid = $sql_authorid LEFT OUTER JOIN {$serendipity['dbPrefix']}authorgroups AS ag ON ag.authorid = a.authorid LEFT OUTER JOIN {$serendipity['dbPrefix']}access AS acl