From 88d660d92e58cacc7fdda67895000528060cda3c Mon Sep 17 00:00:00 2001
From: Andy Heathershaw <andy@andys.eu>
Date: Sun, 10 Sep 2017 11:18:12 +0100
Subject: [PATCH] #33: Fixed an issue where by the anonymous album check did
 not include the album ID, thereby allowing access if other albums allowed
 anonymous users.

---
 app/Policies/AlbumPolicy.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/app/Policies/AlbumPolicy.php b/app/Policies/AlbumPolicy.php
index dd08b94..4e069c8 100644
--- a/app/Policies/AlbumPolicy.php
+++ b/app/Policies/AlbumPolicy.php
@@ -145,7 +145,10 @@ class AlbumPolicy
         {
             $query = Album::query()->join('album_anonymous_permissions', 'album_anonymous_permissions.album_id', '=', 'albums.id')
                 ->join('permissions', 'permissions.id', '=', 'album_anonymous_permissions.permission_id')
-                ->where('permissions.id', $permission->id);
+                ->where([
+                    ['albums.id', $album->id],
+                    ['permissions.id', $permission->id]
+                ]);
 
             return $query->count() > 0;
         }