From 101e32443886ddbcd788e1afc5423c23655a56f6 Mon Sep 17 00:00:00 2001
From: marcus <marcus@36083f99-b078-4883-b0ff-0f9b5a30f544>
Date: Thu, 8 Jan 2009 11:41:23 +0000
Subject: Closes #663: Added access checks on entity on
 get_entities_from_annotation and count functions.

git-svn-id: https://code.elgg.org/elgg/trunk@2541 36083f99-b078-4883-b0ff-0f9b5a30f544
---
 engine/lib/annotations.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/engine/lib/annotations.php b/engine/lib/annotations.php
index 09158d6a3..a89d8c40b 100644
--- a/engine/lib/annotations.php
+++ b/engine/lib/annotations.php
@@ -425,7 +425,8 @@
 		    
 		foreach ($where as $w)
 			$query .= " $w and ";
-		$query .= get_access_sql_suffix("a"); // Add access controls
+		$query .= get_access_sql_suffix("a"); // Add access controls
+		$query .= ' and ' . get_access_sql_suffix("e"); // Add access controls
 		
 		if ($count) {
 			$row = get_data_row($query);
@@ -595,7 +596,8 @@
 		$query = "SELECT $sum(ms.string) as sum from {$CONFIG->dbprefix}annotations a JOIN {$CONFIG->dbprefix}entities e on a.entity_guid = e.guid JOIN {$CONFIG->dbprefix}metastrings ms on a.value_id=ms.id WHERE ";
 		foreach ($where as $w)
 			$query .= " $w and ";
-		$query .= get_access_sql_suffix("a"); // now add access
+		$query .= get_access_sql_suffix("a"); // now add access
+		$query .= ' and ' . get_access_sql_suffix("e"); // now add access
 		
 		$row = get_data_row($query);
 		if ($row)
-- 
cgit v1.2.3