From 4b17ea04a75eba037d5ad5bc2aeffaadddfcfa04 Mon Sep 17 00:00:00 2001
From: Mario <mario@mariovavti.com>
Date: Thu, 1 Jun 2023 10:15:35 +0000
Subject: add owner and author to item_permissions_sql()

---
 include/security.php | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

(limited to 'include/security.php')

diff --git a/include/security.php b/include/security.php
index de9f1f337..2fbe1da1a 100644
--- a/include/security.php
+++ b/include/security.php
@@ -490,12 +490,19 @@ function item_permissions_sql($owner_id, $remote_observer = null) {
 				$gs = '<<>>'; // should be impossible to match
 			}
 
+			// This function is often called without an $owner_id in places where this could not be
+			// determined in advance. The ACL fields will usually not contain the original author or owner
+			// so we will also check for author_xchan and owner_xchan to account for this ACL deficiency.
+
 			$regexop = db_getfunc('REGEXP');
 			$sql = sprintf(
-				" AND (( NOT (deny_cid $regexop '%s' OR deny_gid $regexop '%s')
-				  AND ( allow_cid $regexop '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '' AND item_private = 0 ))
-				  ) OR ( item_private = 1 $scope ))
+				" AND ( author_xchan = '%s' OR owner_xchan = '%s' OR
+				(( NOT (deny_cid $regexop '%s' OR deny_gid $regexop '%s')
+				AND ( allow_cid $regexop '%s' OR allow_gid $regexop '%s' OR ( allow_cid = '' AND allow_gid = '' AND item_private = 0 ))
+				)))
 				",
+				dbesc($observer),
+				dbesc($observer),
 				dbesc($cs),
 				dbesc($gs),
 				dbesc($cs),
-- 
cgit v1.2.3