From 6f93b3ebf51c6b4c8a669521a4823404c09ee976 Mon Sep 17 00:00:00 2001 From: Robbie Mackay Date: Wed, 19 Aug 2015 19:55:52 +1200 Subject: [PATCH] Restrict search result by default for non admin user This avoids getting a result set then skipping them all because the user doesn't have permission to see them. Ending up with an empty page. Refs T1777 --- application/classes/Ushahidi/Repository/Post.php | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/application/classes/Ushahidi/Repository/Post.php b/application/classes/Ushahidi/Repository/Post.php index d4d08d7d09..20bef8f659 100644 --- a/application/classes/Ushahidi/Repository/Post.php +++ b/application/classes/Ushahidi/Repository/Post.php @@ -439,6 +439,20 @@ protected function setSearchConditions(SearchData $search) ->on('posts.id', '=', 'Filter_'.ucfirst($key).'.post_id'); } } + + $user = $this->getUser(); + // If there's no logged in user, or the user isn't admin + // restrict our search to make sure we still return SOME results + // they are allowed to see + if (!$user->id) { + $query->where("$table.status", '=', 'published'); + } elseif ($user->role !== 'admin') { + $query + ->and_where_open() + ->where("$table.status", '=', 'published') + ->or_where("$table.user_id", '=', $user->id) + ->and_where_close(); + } } // SearchRepository