diff options
| author | Bharat Mediratta <bharat@menalto.com> | 2009-09-21 20:47:55 -0700 |
|---|---|---|
| committer | Bharat Mediratta <bharat@menalto.com> | 2009-09-21 20:47:55 -0700 |
| commit | 9e6be40e31b06e5dffe7552928cb8b2d9ee7ad59 (patch) | |
| tree | f405e4e8c3c9082799370ea65231ba809407111a /modules/gallery/controllers/photos.php | |
| parent | a6581ede0b7a50c6159eb5d36cf6be340a072609 (diff) | |
Add viewable() protection to children() and children_count() calls.
This is not currently necessary (nor is it a security hole) because we
don't constrain permissions at the child level in the core, but it
makes our security audits easier and will enable the scenario where
somebody writes a module to add per-photo permissions.
Diffstat (limited to 'modules/gallery/controllers/photos.php')
| -rw-r--r-- | modules/gallery/controllers/photos.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/modules/gallery/controllers/photos.php b/modules/gallery/controllers/photos.php index e6154535..3de9b3ee 100644 --- a/modules/gallery/controllers/photos.php +++ b/modules/gallery/controllers/photos.php @@ -31,7 +31,7 @@ class Photos_Controller extends Items_Controller { $photo->parent()->children(3, $position - 2); } else { $previous_item = null; - list ($next_item) = $photo->parent()->children(1, $position); + list ($next_item) = $photo->parent()->viewable()->children(1, $position); } $template = new Theme_View("page.html", "photo"); @@ -41,7 +41,7 @@ class Photos_Controller extends Items_Controller { $template->set_global("parents", $photo->parents()); $template->set_global("next_item", $next_item); $template->set_global("previous_item", $previous_item); - $template->set_global("sibling_count", $photo->parent()->children_count()); + $template->set_global("sibling_count", $photo->parent()->viewable()->children_count()); $template->set_global("position", $position); $template->content = new View("photo.html"); |