diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2005-09-25 11:56:12 +0200 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2005-09-25 11:56:12 +0200 |
| commit | ae56bfb6216da28c214a2237e3ba7e9a5f1da37d (patch) | |
| tree | 20ebaf55590990c94fb546b2ca8467b6d4525214 | |
| parent | d9aba8f4c16cf995321de4e81466dba7be337e5e (diff) | |
| download | rpg-ae56bfb6216da28c214a2237e3ba7e9a5f1da37d.tar.gz rpg-ae56bfb6216da28c214a2237e3ba7e9a5f1da37d.tar.bz2 | |
SECURITY FIX: acl check in _getRecents added
ACLs weren't checked in the new getRecent function. Recent Changes and
the RSS/ATOM feeds displayed all changes regardless of user permissions.
darcs-hash:20050925095612-7ad00-5885e6616a4214eb99662eac08267b0a6f527625.gz
| -rw-r--r-- | inc/common.php | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/inc/common.php b/inc/common.php index 4585634fc..d6a367566 100644 --- a/inc/common.php +++ b/inc/common.php @@ -621,6 +621,9 @@ function _handleRecent($line,$incdel,$ns,$subNS){ // exclude subnamespaces if ((!$subNS) && (getNS($id) != $ns)) return false; + // check ACL + if (auth_quickaclcheck($id) < AUTH_READ) return false; + // check existance if(!@file_exists(wikiFN($id))){ if(!$incdel){ |