Commit 0fdd772b authored by Leigh B. Stoller's avatar Leigh B. Stoller

Fix a couple of access permission checks that were allowing unapproved

project members (but approved in other projects) to see things they
are not supposed to.
parent 9da1a94d
......@@ -43,13 +43,8 @@ if (mysql_num_rows($query_result) == 0) {
#
# Verify that this uid is a member of the project being displayed.
#
if (!$isadmin) {
$query_result =
DBQueryFatal("SELECT trust FROM group_membership ".
"WHERE uid='$uid' and pid='$pid' and gid='$pid'");
if (mysql_num_rows($query_result) == 0) {
USERERROR("You are not a member of Project $pid.", 1);
}
if (! TBProjAccessCheck($uid, $pid, $pid, $TB_PROJECT_READINFO)) {
USERERROR("You are not a member of Project $pid.", 1);
}
SHOWPROJECT($pid, $uid);
......
......@@ -170,7 +170,7 @@ if (! $isadmin) {
DBQueryFatal("SELECT * FROM projects as p ".
"left join group_membership as g on ".
" p.pid=g.pid and g.pid=g.gid ".
"where g.uid='$uid'");
"where g.uid='$uid' and g.trust!='none'");
if (mysql_num_rows($query_result) == 0) {
USERERROR("You are not a member of any projects!", 1);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment