Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Don't expose members of an item that are not viewable by the end user.

This leaks item ids, but no other information about the item.  Fixes
ticket #1292.
  • Loading branch information...
commit b562751fdb2ae8aab3a344e84176ea03381ca04c 1 parent 50e3230
@bharat bharat authored
Showing with 1 addition and 1 deletion.
  1. +1 −1  modules/gallery/helpers/items_rest.php
View
2  modules/gallery/helpers/items_rest.php
@@ -80,7 +80,7 @@ private static function _format_restful_item($item) {
"relationships" => rest::relationships("item", $item));
if ($item->type == "album") {
$members = array();
- foreach ($item->children() as $child) {
+ foreach ($item->viewable()->children() as $child) {
$members[] = rest::url("item", $child);
}
$item_rest["members"] = $members;
Please sign in to comment.
Something went wrong with that request. Please try again.