Topics are shown regardless of permission

Topic: Topics are shown regardless of permission

Topic:	Topics are shown regardless of permission
Converted 12 Posts: 0 Posted: 10.Feb 2006 - 00:31	I'll bet this has already been fixed; in: function photosharePNGetTopics($currentTopic) you should check that the user has access to the topics being returned. For example, change: Code `$sql = "SELECT $topicsColumn[tid], $topicsColumn[topictext] FROM $topicsTable ORDER BY $topicsColumn[topictext]";` to Code `$sql = "SELECT $topicsColumn[tid], $topicsColumn[topictext], $topicsColumn[topicname] FROM $topicsTable ORDER BY $topicsColumn[topictext]";` and later in the same function, change this: Code `for (; !$result->EOF; $result->MoveNext()) { $topics[] = array('id' => $result->fields[0], 'name' => $result->fields[1], 'selected' => ($result->fields[0] == $currentTopic)); }` to Code `for (; !$result->EOF; $result->MoveNext()) { if(pnSecAuthAction(0, 'Topics::Topic', $result->fields[2]."::".$result->fields[0], ACCESS_READ)) { $topics[] = array('id' => $result->fields[0], 'name' => $result->fields[1], 'selected' => ($result->fields[0] == $currentTopic)); } }`

Converted
avatar

12
Posts: 0

Posted:
10.Feb 2006 - 00:31

I'll bet this has already been fixed; in:

function photosharePNGetTopics($currentTopic)

you should check that the user has access to the topics being returned.

For example, change:

Code

$sql = "SELECT   $topicsColumn[tid],


                   $topicsColumn[topictext]


          FROM     $topicsTable


          ORDER BY $topicsColumn[topictext]";

Code

$sql = "SELECT   $topicsColumn[tid],


                   $topicsColumn[topictext],


                   $topicsColumn[topicname]


          FROM     $topicsTable


          ORDER BY $topicsColumn[topictext]";

and later in the same function, change this:

Code

for (; !$result->EOF; $result->MoveNext())


  {


    $topics[] = array('id'        => $result->fields[0],


                      'name'      => $result->fields[1],


                      'selected'  => ($result->fields[0] == $currentTopic));


  }

Code

for (; !$result->EOF; $result->MoveNext())


  {


    if(pnSecAuthAction(0, 'Topics::Topic', $result->fields[2]."::".$result->fields[0], ACCESS_READ)) {


    $topics[] = array('id'        => $result->fields[0],


                      'name'      => $result->fields[1],


                      'selected'  => ($result->fields[0] == $currentTopic));


    }


  }