r1103: Better permission checking for the favorites list

diff --git a/docs/changes.txt b/docs/changes.txt
index 0f2408959ccdf8f9ff9ad222f33a71b032d98af9..5268dd9078da741846ebf1d8a2ab1af20e74764a 100644 (file)
--- a/docs/changes.txt
+++ b/docs/changes.txt
@@ -14,6 +14,7 @@
 - Fixed a bug where there could be two <select> menus in userctrl.php because we double-wrapped a <select> [userctrl.tpl]
 - Cast to array to remove foreach() warnings [userctrl.php#160]
 - Fixed a bug that would cause searching to result in a SQL error
+- Added better checking of hidden bugs for the favorites list
 
 1.1.0 Beta 1
 ==================

diff --git a/favorite.php b/favorite.php
index d5b6b3be7759d5b69e5eb12606fb180e756e6a76..11c3778d737fe457967ae5ed3e415afb20700202 100644 (file)
--- a/favorite.php
+++ b/favorite.php
@@ -71,8 +71,9 @@ if ($_REQUEST['do'] == 'manage')
                SELECT favorite.bugid, bug.* FROM " . TABLE_PREFIX . "favorite AS favorite
                RIGHT JOIN " . TABLE_PREFIX . "bug AS bug
                        ON (favorite.bugid = bug.bugid)
-               WHERE favorite.userid = " . $bugsys->userinfo['userid']
-       );
+               WHERE favorite.userid = " . $bugsys->userinfo['userid'] . "
+               AND (!bug.hidden OR (bug.hidden AND bug.product IN (" . fetch_on_bits('canviewhidden') . "))" . (can_perform('canviewownhidden') ? " OR (bug.hidden AND bug.userid = " . $bugsys->userinfo['userid'] . " AND bug.product IN (" . fetch_on_bits('canviewownhidden') . "))" : "") . ")
+       ");
        while ($bug = $db->fetch_array($favorites))
        {
                $funct->exec_swap_bg($stylevar['alt_color'], '');