From 8fbad351616566e9037bf0f51df6a1bc80d80882 Mon Sep 17 00:00:00 2001
From: Vincent Zanotti <vincent.zanotti@polytechnique.org>
Date: Sat, 22 Mar 2008 19:58:41 +0100
Subject: [PATCH] Prevents disabled users from accessing hash-protected
 resources (currently RSS feeds, and iCal calendars).

Signed-off-by: Vincent Zanotti <vincent.zanotti@polytechnique.org>
---
 include/rss.inc.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/include/rss.inc.php b/include/rss.inc.php
index 9dc4f86..89d63ca 100644
--- a/include/rss.inc.php
+++ b/include/rss.inc.php
@@ -37,7 +37,8 @@ function init_rss($template, $alias, $hash, $require_uid = true)
     $res = XDB::query(
         'SELECT  a.id
            FROM  aliases         AS a
-     INNER JOIN  auth_user_quick AS q ON ( a.id = q.user_id AND q.core_rss_hash = {?} )
+     INNER JOIN  auth_user_md5   AS u ON (a.id = u.user_id AND u.perms IN ("admin", "user"))
+     INNER JOIN  auth_user_quick AS q ON (a.id = q.user_id AND q.core_rss_hash = {?})
           WHERE  a.alias = {?} AND a.type != "homonyme"', $hash, $alias);
     $uid = $res->fetchOneCell();
 
-- 
2.1.4