From 0960d26fbfe21ac1af640f7d4d129d53dcba62ae Mon Sep 17 00:00:00 2001
From: Robert Sesek <rsesek@bluestatic.org>
Date: Sun, 20 Aug 2006 23:10:59 +0000
Subject: [PATCH] r1103: Better permission checking for the favorites list

---
 docs/changes.txt | 1 +
 favorite.php     | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/docs/changes.txt b/docs/changes.txt
index 0f24089..5268dd9 100644
--- a/docs/changes.txt
+++ b/docs/changes.txt
@@ -14,6 +14,7 @@
 - Fixed a bug where there could be two <select> menus in userctrl.php because we double-wrapped a <select> [userctrl.tpl]
 - Cast to array to remove foreach() warnings [userctrl.php#160]
 - Fixed a bug that would cause searching to result in a SQL error
+- Added better checking of hidden bugs for the favorites list
 
 1.1.0 Beta 1
 ==================
diff --git a/favorite.php b/favorite.php
index d5b6b3b..11c3778 100644
--- a/favorite.php
+++ b/favorite.php
@@ -71,8 +71,9 @@ if ($_REQUEST['do'] == 'manage')
 		SELECT favorite.bugid, bug.* FROM " . TABLE_PREFIX . "favorite AS favorite
 		RIGHT JOIN " . TABLE_PREFIX . "bug AS bug
 			ON (favorite.bugid = bug.bugid)
-		WHERE favorite.userid = " . $bugsys->userinfo['userid']
-	);
+		WHERE favorite.userid = " . $bugsys->userinfo['userid'] . "
+		AND (!bug.hidden OR (bug.hidden AND bug.product IN (" . fetch_on_bits('canviewhidden') . "))" . (can_perform('canviewownhidden') ? " OR (bug.hidden AND bug.userid = " . $bugsys->userinfo['userid'] . " AND bug.product IN (" . fetch_on_bits('canviewownhidden') . "))" : "") . ")
+	");
 	while ($bug = $db->fetch_array($favorites))
 	{
 		$funct->exec_swap_bg($stylevar['alt_color'], '');
-- 
2.22.5