From 9ae9d13880e0cd0a5ad594d09b9e5a870143b8f8 Mon Sep 17 00:00:00 2001 From: scottmk Date: Thu, 17 Jun 2010 19:16:45 +0000 Subject: [PATCH 1/1] 1. Disable fleshing for PCRUD. Otherwise fleshing would provide a back door whereby a user could see stuff he has no permission to see. 2. For the id_list method: strip out the "flesh_fields" entry, not the "flesh_columns" entry (which doesn't exist). This actually makes no difference, but if we're going to do something useless, we might as well do it right. M Open-ILS/src/c-apps/oils_sql.c git-svn-id: svn://svn.open-ils.org/ILS/trunk@16747 dcc99617-32d9-48b4-a31d-7c20da2025e4 --- Open-ILS/src/c-apps/oils_sql.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Open-ILS/src/c-apps/oils_sql.c b/Open-ILS/src/c-apps/oils_sql.c index 56397e6ca4..c4c90b675a 100644 --- a/Open-ILS/src/c-apps/oils_sql.c +++ b/Open-ILS/src/c-apps/oils_sql.c @@ -1100,7 +1100,7 @@ int doIdList( osrfMethodContext* ctx ) { jsonObjectRemoveKey( rest_of_query, "select" ); jsonObjectRemoveKey( rest_of_query, "no_i18n" ); jsonObjectRemoveKey( rest_of_query, "flesh" ); - jsonObjectRemoveKey( rest_of_query, "flesh_columns" ); + jsonObjectRemoveKey( rest_of_query, "flesh_fields" ); } else { rest_of_query = jsonNewObjectType( JSON_HASH ); } @@ -5225,8 +5225,10 @@ static jsonObject* doFieldmapperSearch( osrfMethodContext* ctx, osrfHash* class_ dbi_result_free( result ); free( sql ); - // If we're asked to flesh, and there's anything to flesh, then flesh. - if( res_list->size && query_hash ) { + // If we're asked to flesh, and there's anything to flesh, then flesh it + // (but not for PCRUD, lest the user to bypass permissions by fleshing + // something that he has no permission to look at). + if( res_list->size && query_hash && ! enforce_pcrud ) { _tmp = jsonObjectGetKeyConst( query_hash, "flesh" ); if( _tmp ) { // Get the flesh depth -- 2.43.2