1 files changed, 24 insertions, 10 deletions

diff --git a/engine/lib/entities.php b/engine/lib/entities.php
index 05916ddf4..90e62fac7 100644
--- a/engine/lib/entities.php
+++ b/engine/lib/entities.php
@@ -30,7 +30,7 @@ $SUBTYPE_CACHE = NULL;
  *
  * @param int $guid The entity guid
  *
- * @return void
+ * @return null
  * @access private
  */
 function invalidate_cache_for_entity($guid) {
@@ -48,7 +48,7 @@ function invalidate_cache_for_entity($guid) {
  *
  * @param ElggEntity $entity Entity to cache
  *
- * @return void
+ * @return null
  * @see retrieve_cached_entity()
  * @see invalidate_cache_for_entity()
  * @access private
@@ -56,7 +56,13 @@ function invalidate_cache_for_entity($guid) {
  */
 function cache_entity(ElggEntity $entity) {
 	global $ENTITY_CACHE;
-	
+
+	// Don't cache entities while access control is off, otherwise they could be
+	// exposed to users who shouldn't see them when control is re-enabled.
+	if (elgg_get_ignore_access()) {
+		return;
+	}
+
 	// Don't store too many or we'll have memory problems
 	// TODO(evan): Pick a less arbitrary limit
 	if (count($ENTITY_CACHE) > 256) {
@@ -71,7 +77,7 @@ function cache_entity(ElggEntity $entity) {
  *
  * @param int $guid The guid
  *
- * @return void
+ * @return ElggEntity|bool false if entity not cached, or not fully loaded
  * @see cache_entity()
  * @see invalidate_cache_for_entity()
  * @access private
@@ -703,7 +709,9 @@ function get_entity($guid) {
 	}
 
 	$new_entity = entity_row_to_elggstar(get_entity_as_row($guid));
-	cache_entity($new_entity);
+	if ($new_entity) {
+		cache_entity($new_entity);
+	}
 	return $new_entity;
 }
 
@@ -946,13 +954,18 @@ function elgg_get_entities(array $options = array()) {
 		}
 
 		$dt = get_data($query, $options['callback']);
-		foreach ($dt as $entity) {
-			// If a custom callback is provided, it could return something other than ElggEntity,
-			// so we have to do an explicit check here.
-			if ($entity instanceof ElggEntity) {
-				cache_entity($entity);
+		if ($dt) {
+			foreach ($dt as $entity) {
+				// If a custom callback is provided, it could return something other than ElggEntity,
+				// so we have to do an explicit check here.
+				if ($entity instanceof ElggEntity) {
+					cache_entity($entity);
+				}
 			}
+			// @todo Without this, recursive delete fails. See #4568
+			reset($dt);
 		}
+
 		return $dt;
 	} else {
 		$total = get_data_row($query);
@@ -1425,6 +1438,7 @@ function disable_entity($guid, $reason = "", $recursive = true) {
 
 				$entity->disableMetadata();
 				$entity->disableAnnotations();
+				invalidate_cache_for_entity($guid);
 
 				$res = update_data("UPDATE {$CONFIG->dbprefix}entities
 					SET enabled = 'no'