diff options
| author | Bharat Mediratta <bharat@menalto.com> | 2010-08-14 15:45:16 -0700 |
|---|---|---|
| committer | Bharat Mediratta <bharat@menalto.com> | 2010-08-14 15:45:16 -0700 |
| commit | b562751fdb2ae8aab3a344e84176ea03381ca04c (patch) | |
| tree | 2fbcfd66c08fa42e4c65ebf58a513ae84dcb1bd1 /modules/gallery/helpers/items_rest.php | |
| parent | 50e3230d79b8736f78ebaa4f1c7e6df1c29b3243 (diff) | |
Don't expose members of an item that are not viewable by the end user.
This leaks item ids, but no other information about the item. Fixes
ticket #1292.
Diffstat (limited to 'modules/gallery/helpers/items_rest.php')
| -rw-r--r-- | modules/gallery/helpers/items_rest.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/modules/gallery/helpers/items_rest.php b/modules/gallery/helpers/items_rest.php index 9cca9a54..f0b68d63 100644 --- a/modules/gallery/helpers/items_rest.php +++ b/modules/gallery/helpers/items_rest.php @@ -80,7 +80,7 @@ class items_rest_Core { "relationships" => rest::relationships("item", $item)); if ($item->type == "album") { $members = array(); - foreach ($item->children() as $child) { + foreach ($item->viewable()->children() as $child) { $members[] = rest::url("item", $child); } $item_rest["members"] = $members; |