From db3543cf2a9e59243c1b35be0078a0b9535a8824 Mon Sep 17 00:00:00 2001
From: ben <ben@36083f99-b078-4883-b0ff-0f9b5a30f544>
Date: Wed, 24 Sep 2008 11:57:10 +0000
Subject: Metadata permissions now work as advertised, but had to remove
 caching in the process. Will attempt to re-enable it shortly.

git-svn-id: https://code.elgg.org/elgg/trunk@2109 36083f99-b078-4883-b0ff-0f9b5a30f544
---
 engine/lib/access.php   |  4 ++--
 engine/lib/metadata.php | 28 +++++++++++++++++++---------
 2 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/engine/lib/access.php b/engine/lib/access.php
index 2df9aea58..313fc7476 100644
--- a/engine/lib/access.php
+++ b/engine/lib/access.php
@@ -25,7 +25,7 @@
 			
 			global $CONFIG;
 			
-			if (!isset($access_list))
+			//if (!isset($access_list))
 				$access_list = array();
 			
 			if ($user_id == 0) $user_id = $_SESSION['id'];
@@ -52,7 +52,7 @@
 			global $CONFIG;
 			static $access_array;
 			
-			if (!isset($access_array))
+			//if (!isset($access_array))
 				$access_array = array();
 			
 			if ($user_id == 0) $user_id = $_SESSION['guid'];
diff --git a/engine/lib/metadata.php b/engine/lib/metadata.php
index d509424e2..376c6ecdd 100644
--- a/engine/lib/metadata.php
+++ b/engine/lib/metadata.php
@@ -151,9 +151,10 @@
 		global $CONFIG;
 
 		$id = (int)$id;
-		$access = get_access_sql_suffix("e");
+		$access = get_access_sql_suffix("e");
+		$md_access = get_access_sql_suffix("m");
 				
-		return row_to_elggmetadata(get_data_row("SELECT m.*, n.string as name, v.string as value from {$CONFIG->dbprefix}metadata m JOIN {$CONFIG->dbprefix}entities e on e.guid = m.entity_guid JOIN {$CONFIG->dbprefix}metastrings v on m.value_id = v.id JOIN {$CONFIG->dbprefix}metastrings n on m.name_id = n.id where m.id=$id and $access"));
+		return row_to_elggmetadata(get_data_row("SELECT m.*, n.string as name, v.string as value from {$CONFIG->dbprefix}metadata m JOIN {$CONFIG->dbprefix}entities e on e.guid = m.entity_guid JOIN {$CONFIG->dbprefix}metastrings v on m.value_id = v.id JOIN {$CONFIG->dbprefix}metastrings n on m.name_id = n.id where m.id=$id and $access and $md_access"));
 	}
 	
 	/**
@@ -363,11 +364,16 @@
 	function get_metadata_byname($entity_guid,  $meta_name)
 	{
 		global $CONFIG;
-	
-		$meta_name = get_metastring_id($meta_name);
+	
+		$meta_name = get_metastring_id($meta_name);
+		
+		if (empty($meta_name)) return false;
+		
 		$entity_guid = (int)$entity_guid;
-		$access = get_access_sql_suffix("e");
-		$result = get_data("SELECT m.*, n.string as name, v.string as value from {$CONFIG->dbprefix}metadata m JOIN {$CONFIG->dbprefix}entities e ON e.guid = m.entity_guid JOIN {$CONFIG->dbprefix}metastrings v on m.value_id = v.id JOIN {$CONFIG->dbprefix}metastrings n on m.name_id = n.id where m.entity_guid=$entity_guid and m.name_id='$meta_name' and $access", "row_to_elggmetadata");
+		$access = get_access_sql_suffix("e");
+		$md_access = get_access_sql_suffix("m");
+
+		$result = get_data("SELECT m.*, n.string as name, v.string as value from {$CONFIG->dbprefix}metadata m JOIN {$CONFIG->dbprefix}entities e ON e.guid = m.entity_guid JOIN {$CONFIG->dbprefix}metastrings v on m.value_id = v.id JOIN {$CONFIG->dbprefix}metastrings n on m.name_id = n.id where m.entity_guid=$entity_guid and m.name_id='$meta_name' and $access and $md_access", "row_to_elggmetadata");
 		if (!$result) 
 			return false;
 		
@@ -387,9 +393,10 @@
 		global $CONFIG;
 	
 		$entity_guid = (int)$entity_guid;
-		$access = get_access_sql_suffix("e");
+		$access = get_access_sql_suffix("e");
+		$md_access = get_access_sql_suffix("e");
 		
-		return get_data("SELECT m.*, n.string as name, v.string as value from {$CONFIG->dbprefix}metadata m JOIN {$CONFIG->dbprefix}entities e ON e.guid = m.entity_guid JOIN {$CONFIG->dbprefix}metastrings v on m.value_id = v.id JOIN {$CONFIG->dbprefix}metastrings n on m.name_id = n.id where m.entity_guid=$entity_guid and $access", "row_to_elggmetadata");
+		return get_data("SELECT m.*, n.string as name, v.string as value from {$CONFIG->dbprefix}metadata m JOIN {$CONFIG->dbprefix}entities e ON e.guid = m.entity_guid JOIN {$CONFIG->dbprefix}metastrings v on m.value_id = v.id JOIN {$CONFIG->dbprefix}metastrings n on m.name_id = n.id where m.entity_guid=$entity_guid and $access and $md_access", "row_to_elggmetadata");
 	}
 
 	/**
@@ -442,7 +449,8 @@
 		$query = "SELECT m.*, n.string as name, v.string as value from {$CONFIG->dbprefix}entities e JOIN {$CONFIG->dbprefix}metadata m on e.guid = m.entity_guid JOIN {$CONFIG->dbprefix}metastrings v on m.value_id = v.id JOIN {$CONFIG->dbprefix}metastrings n on m.name_id = n.id where";
 		foreach ($where as $w)
 			$query .= " $w and ";
-		$query .= get_access_sql_suffix("e"); // Add access controls
+		$query .= get_access_sql_suffix("e"); // Add access controls
+		$query .= ' and ' . get_access_sql_suffix("m"); // Add access controls
 		$query .= " order by $order_by limit $offset, $limit"; // Add order and limit
 
 		return get_data($query, "row_to_elggmetadata");
@@ -516,6 +524,7 @@
 		foreach ($where as $w)
 			$query .= " $w and ";
 		$query .= get_access_sql_suffix("e"); // Add access controls
+		$query .= ' and ' . get_access_sql_suffix("m"); // Add access controls
 		
 		if (!$count) {
 			$query .= " order by $order_by limit $offset, $limit"; // Add order and limit
@@ -622,6 +631,7 @@
 		foreach ($where as $w)
 			$query .= " $w and ";
 		$query .= get_access_sql_suffix("e"); // Add access controls
+		$query .= ' and ' . get_access_sql_suffix("e"); // Add access controls
 		
 		if (!$count) {
 			$query .= " order by $order_by limit $offset, $limit"; // Add order and limit
-- 
cgit v1.2.3