From c15406925832d6758a1829e40a9ad3f8179744c2 Mon Sep 17 00:00:00 2001
From: Florent Bruneau <florent.bruneau@polytechnique.org>
Date: Sat, 5 Jun 2010 11:40:24 +0200
Subject: [PATCH] Fix a bug giving read access to the contacts of another user
 when adding/removing this user from our contacts. Close #1080

Signed-off-by: Florent Bruneau <florent.bruneau@polytechnique.org>
---
 modules/carnet.php | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/modules/carnet.php b/modules/carnet.php
index 7479b3c..d71aec1 100644
--- a/modules/carnet.php
+++ b/modules/carnet.php
@@ -266,18 +266,20 @@ class CarnetModule extends PLModule
         }
         switch (Env::v('action')) {
             case 'retirer':
-                if (($user = User::get(Env::v('user')))) {
+                if (($contact = User::get(Env::v('user')))) {
                     if (XDB::execute("DELETE FROM  contacts
-                                            WHERE  uid = {?} AND contact = {?}", $uid, $user->id())) {
+                                            WHERE  uid = {?} AND contact = {?}",
+                                     $uid, $contact->id())) {
                         $page->trigSuccess("Contact retiré&nbsp;!");
                     }
                 }
                 break;
 
             case 'ajouter':
-                if (($user = User::get(Env::v('user')))) {
+                if (($contact = User::get(Env::v('user')))) {
                     if (XDB::execute("REPLACE INTO  contacts (uid, contact)
-                                            VALUES  ({?}, {?})", $uid, $user->id())) {
+                                            VALUES  ({?}, {?})",
+                                     $uid, $contact->id())) {
                         $page->trigSuccess('Contact ajouté&nbsp;!');
                     } else {
                         $page->trigWarning('Contact déjà dans la liste&nbsp;!');
-- 
2.1.4