add one more level of parentheses to ensure operator precedence is correctly evaluated

2015-09-28 20:03:11 -07:00
parent f965209eee
commit 8d5556764c
2 changed files with 4 additions and 4 deletions
--- a/include/security.php
+++ b/include/security.php
@@ -258,9 +258,9 @@ function item_permissions_sql($owner_id, $remote_observer = null) {
 			}
 			$regexop = db_getfunc('REGEXP');
 			$sql = sprintf(
-				" AND ( NOT (deny_cid like '%s' OR deny_gid $regexop '%s')
+				" AND (( NOT (deny_cid like '%s' OR deny_gid $regexop '%s')
 				  AND ( allow_cid like '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '' AND item_private = 0 ))
-				  ) OR ( item_private = 1 $s )
+				  ) OR ( item_private = 1 $s ))
 				",
 				dbesc(protect_sprintf( '%<' . $observer . '>%')),
 				dbesc($gs),