Commit 08d8b8b1 authored by Francois Marier's avatar Francois Marier Committed by Richard Mansfield
Browse files

Cast an ID coming from user data before it hits a query



This is a security fix (SQL injection).
Signed-off-by: default avatarFrancois Marier <francois@catalyst.net.nz>
parent 6a0d658d
......@@ -1973,7 +1973,7 @@ class View {
{artefact_access_role} r
INNER JOIN {group_member} m ON r.role = m.role
WHERE
m."group" = ' . $group . '
m."group" = ' . (int)$group . '
AND m.member = ' . $user->get('id') . '
AND r.can_view = 1
) ga ON (ga.group = a.group AND a.id = ga.artefact)';
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment