#33: Fixed an issue where by the anonymous album check did not include the album ID, thereby allowing access if other albums allowed anonymous users.
This commit is contained in:
parent
818d4c39d2
commit
88d660d92e
@ -145,7 +145,10 @@ class AlbumPolicy
|
|||||||
{
|
{
|
||||||
$query = Album::query()->join('album_anonymous_permissions', 'album_anonymous_permissions.album_id', '=', 'albums.id')
|
$query = Album::query()->join('album_anonymous_permissions', 'album_anonymous_permissions.album_id', '=', 'albums.id')
|
||||||
->join('permissions', 'permissions.id', '=', 'album_anonymous_permissions.permission_id')
|
->join('permissions', 'permissions.id', '=', 'album_anonymous_permissions.permission_id')
|
||||||
->where('permissions.id', $permission->id);
|
->where([
|
||||||
|
['albums.id', $album->id],
|
||||||
|
['permissions.id', $permission->id]
|
||||||
|
]);
|
||||||
|
|
||||||
return $query->count() > 0;
|
return $query->count() > 0;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user