From eb689565067976d9b3fb499d9cf2e47f9c98b2c8 Mon Sep 17 00:00:00 2001
From: Megan Watson <megan@knowledgetree.com>
Date: Fri, 28 Mar 2008 13:35:27 +0000
Subject: [PATCH] KTS-3211 "Search not adhering to read permissions" Fixed. Added permissions to the sql.

---
 search2/search/expr.inc.php | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/search2/search/expr.inc.php b/search2/search/expr.inc.php
index 0f7efdd..7ced3da 100755
--- a/search2/search/expr.inc.php
+++ b/search2/search/expr.inc.php
@@ -1161,9 +1161,19 @@ class SQLQueryBuilder implements QueryBuilder
             $sql .= " LEFT JOIN document_fields df$offset ON df$offset.id=dfl$offset.document_field_id" . "\n";
         }
 
+        // Add permissions sql for read access
+        $oPermission =& KTPermission::getByName('ktcore.permissions.read');
+        $permId = $oPermission->getID();
+        $oUser = User::get($_SESSION['userID']);
+        $aPermissionDescriptors = KTPermissionUtil::getPermissionDescriptorsForUser($oUser);
+        $sPermissionDescriptors = (!empty($aPermissionDescriptors)) ? implode(',', $aPermissionDescriptors) : '';
 
-        $sql .=
-            'WHERE dmv.status_id=1 AND d.status_id=1 AND ' . "\n ";
+        $sql .= 'LEFT JOIN folders f ON d.folder_id = f.id '. "\n";
+
+        $sql .= 'INNER JOIN permission_lookups AS PL ON f.permission_lookup_id = PL.id '. "\n";
+        $sql .= 'INNER JOIN permission_lookup_assignments AS PLA ON PL.id = PLA.permission_lookup_id AND PLA.permission_id = '.$permId. " \n";
+
+        $sql .= "WHERE PLA.permission_descriptor_id IN ($sPermissionDescriptors) AND dmv.status_id=1 AND d.status_id=1 AND  \n ";
 
        	return $sql;
 	}
--
libgit2 0.21.4