PRIVACY: item_private seems to have been removed from permissions_sql checking with an observer.

2015-09-07 03:59:38 -07:00
parent f7d9523c7d
commit 1b09c64856
3 changed files with 182 additions and 182 deletions
--- a/include/security.php
+++ b/include/security.php
@@ -260,7 +260,7 @@ function item_permissions_sql($owner_id, $remote_observer = null) {
 			$regexop = db_getfunc('REGEXP');
 			$sql = sprintf(
 				" AND ( NOT (deny_cid like '%s' OR deny_gid $regexop '%s')
-				  AND ( allow_cid like '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '') )
+				  AND ( allow_cid like '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '' AND item_private = 0 ) )
 				  )
 				",
 				dbesc(protect_sprintf( '%<' . $observer . '>%')),
@@ -295,7 +295,7 @@ function public_permissions_sql($observer_hash) {
 		$regexop = db_getfunc('REGEXP');
 		$sql = sprintf(
 			" OR (( NOT (deny_cid like '%s' OR deny_gid $regexop '%s')
-			  AND ( allow_cid like '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '') )
+			  AND ( allow_cid like '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '' AND item_private = 0 ) )
 			  ))
 			",
 			dbesc(protect_sprintf( '%<' . $observer_hash . '>%')),