2 files changed, 48 insertions, 6 deletions

diff --git a/engine/lib/access.php b/engine/lib/access.php
index 5ccf238c8..7edb2d012 100644
--- a/engine/lib/access.php
+++ b/engine/lib/access.php
@@ -225,14 +225,21 @@ END;
 			if (!isset($owner)) {
 				$owner = get_loggedin_userid();
 			}
-			if (!$owner) $owner = -1;
 			
-			$access = get_access_list($owner);
-
-			// do NOT use $is_admin global user here, since that only checks against
+			// do NOT use $is_admin global here, since that only checks against
 			// the current logged in user.
+			// Can't use metadata here because because of recursion.
+			// (get_entity, get_*() calls this function.)
+			if (!$owner) { 
+				$owner = -1;
+				$admin = false;
+			} else {
+				$admin = is_admin_user($owner);
+			}
+			
+			$access = get_access_list($owner);
 			
-			if ($owner->admin == 'yes') {
+			if ($admin) {
 				$sql = " (1 = 1) ";
 			} else if ($owner != -1) {				
 				$friends_bit = $table_prefix.'access_id = '.ACCESS_FRIENDS.' AND ';
@@ -729,4 +736,4 @@ END;
 	// This function will let us know when 'init' has finished
 		register_elgg_event_handler('init','system','access_init',9999);
 		
-?>
\ No newline at end of file
+?>
diff --git a/engine/lib/sessions.php b/engine/lib/sessions.php
index 18fb9e73c..b34f07725 100644
--- a/engine/lib/sessions.php
+++ b/engine/lib/sessions.php
@@ -156,6 +156,41 @@
 			return false;
 		}
 		
+		/**
+		 * Check if the given user is an admin.
+		 * 
+		 * @param $user_guid
+		 * @return bool
+		 */
+		function is_admin_user($user_guid) {
+			global $CONFIG;
+			
+			// caching is done at the db level so no need to here.
+			$query = "SELECT * FROM {$CONFIG->dbprefix}users_entity as e, {$CONFIG->dbprefix}metastrings as ms1, {$CONFIG->dbprefix}metastrings as ms2, {$CONFIG->dbprefix}metadata as md
+				WHERE (
+					ms1.string = 'admin' AND ms2.string = 'yes'
+					AND md.name_id = ms1.id	AND md.value_id = ms2.id
+					AND e.guid = md.entity_guid
+					AND e.guid = {$user_guid}
+					AND e.banned = 'no'
+					)
+				OR (
+					ms1.string = 'admin' AND ms2.string = '1'
+					AND md.name_id = ms1.id	AND md.value_id = ms2.id
+					AND e.guid = md.entity_guid
+					AND e.guid = {$user_guid}
+					AND e.banned = 'no'
+					)";
+
+			// normalizing the results from get_data()
+			// See #1242
+			$info = get_data($query);
+			if (!((is_array($info) && count($info) < 1) || $info === false)) {
+				return true;
+			}
+			return false;
+		}
+		
 	/**
 	 * Perform standard authentication with a given username and password.
 	 * Returns an ElggUser object for use with login.