From 9e6be40e31b06e5dffe7552928cb8b2d9ee7ad59 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Mon, 21 Sep 2009 20:47:55 -0700
Subject: Add viewable() protection to children() and children_count() calls.
 This is not currently necessary (nor is it a security hole) because we don't
 constrain permissions at the child level in the core, but it makes our
 security audits easier and will enable the scenario where somebody writes a
 module to add per-photo permissions.

---
 modules/gallery/controllers/photos.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'modules')

diff --git a/modules/gallery/controllers/photos.php b/modules/gallery/controllers/photos.php
index e6154535..3de9b3ee 100644
--- a/modules/gallery/controllers/photos.php
+++ b/modules/gallery/controllers/photos.php
@@ -31,7 +31,7 @@ class Photos_Controller extends Items_Controller {
         $photo->parent()->children(3, $position - 2);
     } else {
       $previous_item = null;
-      list ($next_item) = $photo->parent()->children(1, $position);
+      list ($next_item) = $photo->parent()->viewable()->children(1, $position);
     }
 
     $template = new Theme_View("page.html", "photo");
@@ -41,7 +41,7 @@ class Photos_Controller extends Items_Controller {
     $template->set_global("parents", $photo->parents());
     $template->set_global("next_item", $next_item);
     $template->set_global("previous_item", $previous_item);
-    $template->set_global("sibling_count", $photo->parent()->children_count());
+    $template->set_global("sibling_count", $photo->parent()->viewable()->children_count());
     $template->set_global("position", $position);
 
     $template->content = new View("photo.html");
-- 
cgit v1.2.3