Security Enhancements:
* Fixed possible XSS vulnerability if using a crafted URL.
* Fixed exploit to bypass new user validation if using a crafted form.
+ * Fixed incorrect caching of access lists that could allow plugins
+ to show private entities to non-admin and non-owning users. (Non-exploitable)
Bugfixes:
- * Twitter API: New users are forwarded to the correct page after creating
- an account with Twitter.
- * Files: PDF files are downloaded as "inline" to display in the browser.
- * Fixed possible duplication errors when writing metadata with multiple values.
- * Fixed possible upgrade issue if using a plugin uses the system_log hooks.
- * Fixed problems when enabling more than 50 metadata or annotations.
+ * Twitter API: New users are forwarded to the correct page after creating
+ an account with Twitter.
+ * Files: PDF files are downloaded as "inline" to display in the browser.
+ * Fixed possible duplication errors when writing metadata with multiple values.
+ * Fixed possible upgrade issue if using a plugin uses the system_log hooks.
+ * Fixed problems when enabling more than 50 metadata or annotations.
API:
- * River entries' timestamps use elgg_view_friendly_time() and can be
+ * River entries' timestamps use elgg_view_friendly_time() and can be
overridden with the friendly time output view.
Version 1.8.4
global $CONFIG, $init_finished;
static $access_list;
- if (!isset($access_list) || !$init_finished) {
+ if (!isset($access_list)) {
$access_list = array();
}
return $access_list[$user_id];
}
- $access_list[$user_id] = "(" . implode(",", get_access_array($user_id, $site_id, $flush)) . ")";
+ $access = "(" . implode(",", get_access_array($user_id, $site_id, $flush)) . ")";
- return $access_list[$user_id];
+ // only cache if done with init
+ if ($init_finished) {
+ $access_list[$user_id] = $access;
+ return $access_list[$user_id];
+ } else {
+ return $access;
+ }
}
/**
// this cache might be redundant. But db cache is flushed on every db write.
static $access_array;
- if (!isset($access_array) || (!isset($init_finished)) || (!$init_finished)) {
+ if (!isset($access_array)) {
$access_array = array();
}
$tmp_access_array[] = ACCESS_PRIVATE;
}
- $access_array[$user_id] = $tmp_access_array;
- } else {
- // No user id logged in so we can only access public info
- $tmp_return = $tmp_access_array;
+ // only cache if done with init
+ if ($init_finished) {
+ $access_array[$user_id] = $tmp_access_array;
+ }
}
-
} else {
$tmp_access_array = $access_array[$user_id];
}
*
* @global bool $init_finished
* @access private
- * @todo investigate why this is needed
+ * @todo This is required to tell the access system to start caching because
+ * calls are made while in ignore access mode and before the user is logged in.
*/
$init_finished = false;
return $value;
}
-// This function will let us know when 'init' has finished
-elgg_register_event_handler('init', 'system', 'access_init', 9999);
+// Tell the access functions the system has booted, plugins are loaded,
+// and the user is logged in so it can start caching
+elgg_register_event_handler('ready', 'system', 'access_init');
// For overrided permissions
elgg_register_plugin_hook_handler('permissions_check', 'all', 'elgg_override_permissions');
projects / lorea / elgg.git / commitdiff