diff --git a/lib/Alchemy/Phrasea/Controller/Prod/Feed.php b/lib/Alchemy/Phrasea/Controller/Prod/Feed.php index 7700f50563..730f42a697 100644 --- a/lib/Alchemy/Phrasea/Controller/Prod/Feed.php +++ b/lib/Alchemy/Phrasea/Controller/Prod/Feed.php @@ -228,7 +228,10 @@ class Feed implements ControllerProviderInterface $page = (int) $request->query->get('page'); $page = $page > 0 ? $page : 1; - $feed = $app['EM']->getRepository('Entities\Feed')->loadWithUser($app, $app['authentication']->getUser(), $id); + $feed = $app['EM']->getRepository('Entities\Feed')->find($id); + if (!$feed->isAccessible($app['authentication']->getUser(), $app)) { + $app->abort(404, 'Feed not found'); + } $feeds = $app['EM']->getRepository('Entities\Feed')->getAllForUser($app['authentication']->getUser()); $datas = $app['twig']->render('prod/feeds/feeds.html.twig', array('feed' => $feed, 'feeds' => $feeds, 'page' => $page)); @@ -262,8 +265,10 @@ class Feed implements ControllerProviderInterface $controllers->get('/subscribe/{id}/', function(Application $app, Request $request, $id) { $renew = ($request->query->get('renew') === 'true'); - $feed = $app['EM']->getRepository('Entities\Feed')->loadWithUser($app, $app['authentication']->getUser(), $id); - + $feed = $app['EM']->getRepository('Entities\Feed')->find($id); + if (!$feed->isAccessible($app['authentication']->getUser(), $app)) { + $app->abort(404, 'Feed not found'); + } $link = $app['feed.user-link-generator']->generate($feed, $app['authentication']->getUser(), FeedLinkGenerator::FORMAT_RSS, null, $renew); $output = array( diff --git a/lib/Doctrine/Entities/Feed.php b/lib/Doctrine/Entities/Feed.php index 708922f40a..2da4754ddb 100644 --- a/lib/Doctrine/Entities/Feed.php +++ b/lib/Doctrine/Entities/Feed.php @@ -543,4 +543,24 @@ class Feed implements FeedInterface return false; } + + /** + * + * Returns a boolean indicating whether a given user has access to the feed + * + * @param \User_Adapter $user + * @param \Alchemy\Phrasea\Application $app + * + * @return boolean + */ + public function isAccessible(\User_Adapter $user, Application $app) + { + $coll = $this->getCollection($app); + if ($this->isPublic() + || $coll === null + || in_array($coll->get_base_id(), array_keys($user->ACL()->get_granted_base()))) { + return true; + } + return false; + } } diff --git a/lib/Doctrine/Repositories/SessionRepository.php b/lib/Doctrine/Repositories/SessionRepository.php index c4de8d73c8..d29dee3a98 100644 --- a/lib/Doctrine/Repositories/SessionRepository.php +++ b/lib/Doctrine/Repositories/SessionRepository.php @@ -46,29 +46,6 @@ class SessionRepository extends EntityRepository return $qb->getQuery()->getResult(); } - /** - * Returns the given feed if the user can access to it. - * - * @param Application $app - * @param \User_Adapter $user - * @param type $id - * @return Feed - */ - public function loadWithUser(Application $app, \User_Adapter $user, $id) - { - $feed = $this->find($id); - if ($feed) { - $coll = $feed->getCollection($app); - if ($feed->isPublic() - || $coll === null - || in_array($coll->get_base_id(), array_keys($user->ACL()->get_granted_base()))) { - return $feed; - } - } - - return null; - } - /** * Returns all the feeds from a given array containing their id. * diff --git a/lib/classes/API/V1/adapter.php b/lib/classes/API/V1/adapter.php index b8359fd1b4..751d0a14ea 100644 --- a/lib/classes/API/V1/adapter.php +++ b/lib/classes/API/V1/adapter.php @@ -1517,8 +1517,10 @@ class API_V1_adapter extends API_V1_Abstract { $result = new API_V1_result($this->app, $request, $this); - $feed = $this->app['EM']->getRepository('Entities\Feed')->loadWithUser($this->app, $user, $publication_id); - + $feed = $app['EM']->getRepository('Entities\Feed')->find($publication_id); + if (!$feed->isAccessible($app['authentication']->getUser(), $this->app)) { + return $result->set_datas(array()) + } $offset_start = (int) ($request->get('offset_start') ? : 0); $per_page = (int) ($request->get('per_page') ? : 5);