[phpBT-dev] CVS: phpbt query.php,1.98.2.9,1.98.2.10

[Benjamin C. <bc...@us...>]

Update of /cvsroot/phpbt/phpbt
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv12766

Modified Files:
      Tag: htmltemplates
	query.php 
Log Message:
Fixes bug #1005698 - User can list bugs for a project for which he has no permission to view.  Original fix provided by Mufasa.

Index: query.php
===================================================================
RCS file: /cvsroot/phpbt/phpbt/query.php,v
retrieving revision 1.98.2.9
retrieving revision 1.98.2.10
diff -u -r1.98.2.9 -r1.98.2.10
--- query.php	28 Jul 2004 13:34:25 -0000	1.98.2.9
+++ query.php	23 Aug 2004 13:01:32 -0000	1.98.2.10
@@ -100,7 +100,7 @@
 			$flags[] = 'b.severity_id in ('.@join(',',$severity).')';
 		}
 		if (!empty($database) and isset($database[0])) {
-		    // $database[0] can be 0, which stands for no database reported
+			// $database[0] can be 0, which stands for no database reported
 			$flags[] = 'b.database_id in ('.@join(',',$database).')';
 		}
 		if (!empty($site) and $site[0]) {
@@ -408,8 +408,14 @@
 $open = !empty($_GET['open']) ? $_GET['open'] : 0;
 
 // Make sure the page variable is numeric, if it's populated
-if (!empty($_gv['page'])) $_gv['page'] =  preg_replace('/[^0-9]/', '', $_gv['page']);
+if (!empty($_GET['page'])) $_GET['page'] =  preg_replace('/[^0-9]/', '', $_GET['page']);
 
+// Make sure the user has permission to list bugs
+if (!empty($_GET['projects']) && isset($restricted_projects) && 
+	in_array($_GET['projects'], explode(',', $restricted_projects))) {
+		show_text(translate("You do not have the rights to view this project.", true));
+		exit;
+}
 
 if (isset($_GET['op'])) switch($_GET['op']) {
 	case 'query' : show_query(); break;