From 0e4717ecae9a8dd07de0f8444f62830a28d35fb6 Mon Sep 17 00:00:00 2001 From: Peter Lejeck Date: Sun, 6 Oct 2013 04:34:26 -0700 Subject: [PATCH] Unify two regexes used in rating searches, intersect with user privs Fixes issue with unpriveleged users being able to circumvent the ratings they could see, just by searching for it. Also makes code much much prettier. --- ext/rating/main.php | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/ext/rating/main.php b/ext/rating/main.php index afa8d381..e53141c8 100644 --- a/ext/rating/main.php +++ b/ext/rating/main.php @@ -104,21 +104,12 @@ class Ratings extends Extension { $set = Ratings::privs_to_sql(Ratings::get_user_privs($user)); $event->add_querylet(new Querylet("rating IN ($set)")); } - if(preg_match("/^rating=([sqeu]+)$/", $event->term, $matches)) { - $sqes = $matches[1]; - $arr = array(); - $length = strlen($sqes); - for($i=0; $i<$length; $i++) { - $arr[] = "'" . $sqes[$i] . "'"; - } - $set = join(', ', $arr); + if(preg_match("/^rating=(?:([sqeu]+)|(safe|questionable|explicit|unknown))$", strtolower($event->term), $matches)) { + $ratings = $matches[1] ? $matches[1] : array($matches[2][0]); + $ratings = array_intersect($ratings, str_split(Ratings::get_user_privs($user))); + $set = "'" . join("', '", $ratings) . "'"; $event->add_querylet(new Querylet("rating IN ($set)")); } - if(preg_match("/^rating=(safe|questionable|explicit|unknown)$/", strtolower($event->term), $matches)) { - $text = $matches[1]; - $char = $text[0]; - $event->add_querylet(new Querylet("rating = :img_rating", array("img_rating"=>$char))); - } } public function onPageRequest(PageRequestEvent $event) {