honour sys channel permissions for who can view the sys owned content

1 files changed, 11 insertions, 2 deletions

diff --git a/mod/display.php b/mod/display.php
index 31cce95d3..c389eb976 100644
--- a/mod/display.php
+++ b/mod/display.php
@@ -139,7 +139,9 @@ function display_content(&$a, $update = 0, $load = false) {
 
 	}
 
-	$sql_extra = public_permissions_sql(get_observer_hash());
+	$observer_hash = get_observer_hash();
+
+	$sql_extra = public_permissions_sql($observer_hash);
 
 	if(($update && $load) || ($_COOKIE['jsAvailable'] != 1)) {
 
@@ -170,12 +172,19 @@ function display_content(&$a, $update = 0, $load = false) {
 			}
 			if($r === null) {
 
+				// in case somebody turned off public access to sys channel content using permissions
+				// make that content unsearchable by ensuring the owner_xchan can't match
+
+				if(! perm_is_allowed($sys['channel_id'],$observer_hash,'view_stream'))
+					$sys['xchan_hash'] .= 'disabled';
+
+
 				$r = q("SELECT * from item
 					WHERE item_restrict = 0
 					and mid = '%s'
 					AND (((( `item`.`allow_cid` = ''  AND `item`.`allow_gid` = '' AND `item`.`deny_cid`  = '' 
 					AND `item`.`deny_gid`  = '' AND item_private = 0 ) 
-					and owner_xchan in ( " . stream_perms_xchans(($observer) ? (PERMS_NETWORK|PERMS_PUBLIC) : PERMS_PUBLIC) . " ))
+					and owner_xchan in ( " . stream_perms_xchans(($observer_hash) ? (PERMS_NETWORK|PERMS_PUBLIC) : PERMS_PUBLIC) . " ))
 					OR owner_xchan = '%s')
 					$sql_extra )
 					group by mid limit 1",