From ae56bfb6216da28c214a2237e3ba7e9a5f1da37d Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Sun, 25 Sep 2005 11:56:12 +0200
Subject: [PATCH] SECURITY FIX: acl check in _getRecents added

ACLs weren't checked in the new getRecent function. Recent Changes and
the RSS/ATOM feeds displayed all changes regardless of user permissions.

darcs-hash:20050925095612-7ad00-5885e6616a4214eb99662eac08267b0a6f527625.gz
---
 inc/common.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/inc/common.php b/inc/common.php
index 4585634fc..d6a367566 100644
--- a/inc/common.php
+++ b/inc/common.php
@@ -621,6 +621,9 @@ function _handleRecent($line,$incdel,$ns,$subNS){
   // exclude subnamespaces
   if ((!$subNS) && (getNS($id) != $ns)) return false;
 
+  // check ACL
+  if (auth_quickaclcheck($id) < AUTH_READ) return false;
+
   // check existance
   if(!@file_exists(wikiFN($id))){
     if(!$incdel){
-- 
GitLab