Fix a couple of access permission checks that were allowing unapproved

project members (but approved in other projects) to see things they are not supposed to.

Fix a couple of access permission checks that were allowing unapproved
project members (but approved in other projects) to see things they are not supposed to.
0fdd772b · Leigh B. Stoller · 9da1a94d · 0fdd772b · 0fdd772b
Commit 0fdd772b authored Apr 02, 2002 by Leigh B. Stoller
--- a/www/showproject.php3
+++ b/www/showproject.php3
@@ -43,13 +43,8 @@ if (mysql_num_rows($query_result) == 0) {
 #
 # Verify that this uid is a member of the project being displayed.
 #
-if (!$isadmin) {
-    $query_result = 
-        DBQueryFatal("SELECT trust FROM group_membership ".
-		     "WHERE uid='$uid' and pid='$pid' and gid='$pid'");
-    if (mysql_num_rows($query_result) == 0) {
-        USERERROR("You are not a member of Project $pid.", 1);
-    }
+if (! TBProjAccessCheck($uid, $pid, $pid, $TB_PROJECT_READINFO)) {
+    USERERROR("You are not a member of Project $pid.", 1);
 }

 SHOWPROJECT($pid, $uid);

--- a/www/showproject_list.php3
+++ b/www/showproject_list.php3
@@ -170,7 +170,7 @@ if (! $isadmin) {
 	DBQueryFatal("SELECT * FROM projects as p ".
 		     "left join group_membership as g on ".
 		     "     p.pid=g.pid and g.pid=g.gid ".
-		     "where g.uid='$uid'");
+		     "where g.uid='$uid' and g.trust!='none'");
 				   
    if (mysql_num_rows($query_result) == 0) {
 	USERERROR("You are not a member of any projects!", 1);