From b562751fdb2ae8aab3a344e84176ea03381ca04c Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 14 Aug 2010 15:45:16 -0700 Subject: Don't expose members of an item that are not viewable by the end user. This leaks item ids, but no other information about the item. Fixes ticket #1292. --- modules/gallery/helpers/items_rest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules') diff --git a/modules/gallery/helpers/items_rest.php b/modules/gallery/helpers/items_rest.php index 9cca9a54..f0b68d63 100644 --- a/modules/gallery/helpers/items_rest.php +++ b/modules/gallery/helpers/items_rest.php @@ -80,7 +80,7 @@ class items_rest_Core { "relationships" => rest::relationships("item", $item)); if ($item->type == "album") { $members = array(); - foreach ($item->children() as $child) { + foreach ($item->viewable()->children() as $child) { $members[] = rest::url("item", $child); } $item_rest["members"] = $members; -- cgit v1.2.3