From: Vincent Zanotti <vincent.zanotti@polytechnique.org>
Date: Sat, 22 Mar 2008 18:58:41 +0000 (+0100)
Subject: Prevents disabled users from accessing hash-protected resources (currently RSS feeds... 
X-Git-Tag: xorg/0.9.16~83
X-Git-Url: http://git.polytechnique.org/?a=commitdiff_plain;h=8fbad351616566e9037bf0f51df6a1bc80d80882;p=platal.git

Prevents disabled users from accessing hash-protected resources (currently RSS feeds, and iCal calendars).

Signed-off-by: Vincent Zanotti <vincent.zanotti@polytechnique.org>
---

diff --git a/include/rss.inc.php b/include/rss.inc.php
index 9dc4f86..89d63ca 100644
--- a/include/rss.inc.php
+++ b/include/rss.inc.php
@@ -37,7 +37,8 @@ function init_rss($template, $alias, $hash, $require_uid = true)
     $res = XDB::query(
         'SELECT  a.id
            FROM  aliases         AS a
-     INNER JOIN  auth_user_quick AS q ON ( a.id = q.user_id AND q.core_rss_hash = {?} )
+     INNER JOIN  auth_user_md5   AS u ON (a.id = u.user_id AND u.perms IN ("admin", "user"))
+     INNER JOIN  auth_user_quick AS q ON (a.id = q.user_id AND q.core_rss_hash = {?})
           WHERE  a.alias = {?} AND a.type != "homonyme"', $hash, $alias);
     $uid = $res->fetchOneCell();