From ad719b9b6f3391da1ba7e481890317cdc409c616 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Wed, 31 Dec 2008 00:18:24 +0000
Subject: Fully implement the view_full permission.

---
 core/controllers/file_proxy.php | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'core/controllers/file_proxy.php')

diff --git a/core/controllers/file_proxy.php b/core/controllers/file_proxy.php
index 30117f07..3cf915a6 100644
--- a/core/controllers/file_proxy.php
+++ b/core/controllers/file_proxy.php
@@ -95,6 +95,11 @@ class File_Proxy_Controller extends Controller {
       kohana::show_404();
     }
 
+    // Make sure we have view_full access to the original
+    if ($type == "albums" && !access::can("view_full", $item)) {
+      kohana::show_404();
+    }
+
     // Don't try to load a directory
     if ($type == "albums" && $item->is_album()) {
       kohana::show_404();
-- 
cgit v1.2.3