added missing ACL checks for new index based searches

darcs-hash:20050912143027-7ad00-b2f3165d8db7122a453ecc63ad031af4467f691f.gz

2 files changed, 31 insertions, 0 deletions

diff --git a/inc/fulltext.php b/inc/fulltext.php
index ff29f9deb..3940bc0c4 100644
--- a/inc/fulltext.php
+++ b/inc/fulltext.php
@@ -70,6 +70,15 @@ function ft_pageSearch($query,&$poswords){
 
     if(!count($docs)) return array();
 
+    // check ACL permissions
+    foreach(array_keys($docs) as $doc){
+        if(auth_quickaclcheck($doc) < AUTH_READ){
+            unset($docs[$doc]);
+        }
+    }
+
+    if(!count($docs)) return array();
+
     // if there are any hits left, sort them by count
     arsort($docs);
 
@@ -114,6 +123,15 @@ function ft_backlinks($id){
         }
     }
 
+    if(!count($result)) return $result;
+
+    // check ACL permissions
+    foreach(array_keys($result) as $idx){
+        if(auth_quickaclcheck($result[$idx]) < AUTH_READ){
+            unset($result[$idx]);
+        }
+    }
+
     sort($result);
     return $result;
 }
@@ -145,6 +163,16 @@ function ft_pageLookup($id,$pageonly=true){
             continue;
         }
     }
+
+    if(!count($pages)) return array();
+
+    // check ACL permissions
+    foreach(array_keys($pages) as $idx){
+        if(auth_quickaclcheck($pages[$idx]) < AUTH_READ){
+            unset($pages[$idx]);
+        }
+    }
+
     sort($pages);
     return $pages;
 }
diff --git a/inc/indexer.php b/inc/indexer.php
index ce58f47a7..747463d0f 100644
--- a/inc/indexer.php
+++ b/inc/indexer.php
@@ -199,6 +199,9 @@ function idx_writeIndexLine($fh,$line,$pid,$count){
  * Takes an array of word and will return a list of matching
  * documents for each one.
  *
+ * Important: No ACL checking is done here! All results are
+ *            returned, regardless of permissions
+ *
  * @author Andreas Gohr <andi@splitbrain.org>
  */
 function idx_lookup($words){