From 2caa1c8fbca42f3d31fa472ac2940d0b396825ea Mon Sep 17 00:00:00 2001 From: Andy Heathershaw Date: Sun, 10 Sep 2017 11:18:12 +0100 Subject: [PATCH] #33: Fixed an issue where by the anonymous album check did not include the album ID, thereby allowing access if other albums allowed anonymous users. --- app/Policies/AlbumPolicy.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/app/Policies/AlbumPolicy.php b/app/Policies/AlbumPolicy.php index dd08b94..4e069c8 100644 --- a/app/Policies/AlbumPolicy.php +++ b/app/Policies/AlbumPolicy.php @@ -145,7 +145,10 @@ class AlbumPolicy { $query = Album::query()->join('album_anonymous_permissions', 'album_anonymous_permissions.album_id', '=', 'albums.id') ->join('permissions', 'permissions.id', '=', 'album_anonymous_permissions.permission_id') - ->where('permissions.id', $permission->id); + ->where([ + ['albums.id', $album->id], + ['permissions.id', $permission->id] + ]); return $query->count() > 0; }