#33: Fixed an issue where by the anonymous album check did not include the album ID, thereby allowing access if other albums allowed anonymous users.

This commit is contained in:
Andy Heathershaw 2017-09-10 11:18:12 +01:00
parent 818d4c39d2
commit 88d660d92e

View File

@ -145,7 +145,10 @@ class AlbumPolicy
{
$query = Album::query()->join('album_anonymous_permissions', 'album_anonymous_permissions.album_id', '=', 'albums.id')
->join('permissions', 'permissions.id', '=', 'album_anonymous_permissions.permission_id')
->where('permissions.id', $permission->id);
->where([
['albums.id', $album->id],
['permissions.id', $permission->id]
]);
return $query->count() > 0;
}