[open-ils-commits] r16747 - trunk/Open-ILS/src/c-apps (scottmk)
svn at svn.open-ils.org
svn at svn.open-ils.org
Thu Jun 17 15:16:49 EDT 2010
Author: scottmk
Date: 2010-06-17 15:16:45 -0400 (Thu, 17 Jun 2010)
New Revision: 16747
Modified:
trunk/Open-ILS/src/c-apps/oils_sql.c
Log:
1. Disable fleshing for PCRUD. Otherwise fleshing would provide a
back door whereby a user could see stuff he has no permission to see.
2. For the id_list method: strip out the "flesh_fields" entry, not
the "flesh_columns" entry (which doesn't exist). This actually makes
no difference, but if we're going to do something useless, we might
as well do it right.
M Open-ILS/src/c-apps/oils_sql.c
Modified: trunk/Open-ILS/src/c-apps/oils_sql.c
===================================================================
--- trunk/Open-ILS/src/c-apps/oils_sql.c 2010-06-17 18:45:16 UTC (rev 16746)
+++ trunk/Open-ILS/src/c-apps/oils_sql.c 2010-06-17 19:16:45 UTC (rev 16747)
@@ -1100,7 +1100,7 @@
jsonObjectRemoveKey( rest_of_query, "select" );
jsonObjectRemoveKey( rest_of_query, "no_i18n" );
jsonObjectRemoveKey( rest_of_query, "flesh" );
- jsonObjectRemoveKey( rest_of_query, "flesh_columns" );
+ jsonObjectRemoveKey( rest_of_query, "flesh_fields" );
} else {
rest_of_query = jsonNewObjectType( JSON_HASH );
}
@@ -5225,8 +5225,10 @@
dbi_result_free( result );
free( sql );
- // If we're asked to flesh, and there's anything to flesh, then flesh.
- if( res_list->size && query_hash ) {
+ // If we're asked to flesh, and there's anything to flesh, then flesh it
+ // (but not for PCRUD, lest the user to bypass permissions by fleshing
+ // something that he has no permission to look at).
+ if( res_list->size && query_hash && ! enforce_pcrud ) {
_tmp = jsonObjectGetKeyConst( query_hash, "flesh" );
if( _tmp ) {
// Get the flesh depth
More information about the open-ils-commits
mailing list