From 06cf8130e9f75f006669173e1c03373ff239f616 Mon Sep 17 00:00:00 2001
From: Damien Burel <damien.burel@maarch.org>
Date: Mon, 27 Mar 2017 10:18:15 +0200
Subject: [PATCH] [FEAT] [PARA V2] Fix where clause @
---
core/class/SecurityControler.php | 8 ++++++--
modules/basket/Models/BasketsModelAbstract.php | 4 +++-
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/core/class/SecurityControler.php b/core/class/SecurityControler.php
index 3239727ac50..df00ad9e1c0 100644
--- a/core/class/SecurityControler.php
+++ b/core/class/SecurityControler.php
@@ -335,11 +335,15 @@ class SecurityControler
* @param $userId string User identifier
* @return string Proper where clause
*/
- public function process_security_where_clause($whereClause, $userId)
+ public function process_security_where_clause($whereClause, $userId, $addWhere = true)
{
if (!empty($whereClause)) {
$whereClause = str_replace("'", "'", $whereClause);
- $where = ' where ' . $whereClause;
+ if ($addWhere) {
+ $where = ' where ' . $whereClause;
+ } else {
+ $where = $whereClause;
+ }
// Process with the core vars
$where = $this->process_where_clause($where, $userId);
// Process with the modules vars
diff --git a/modules/basket/Models/BasketsModelAbstract.php b/modules/basket/Models/BasketsModelAbstract.php
index 67fc50af536..07af5e9b9bf 100644
--- a/modules/basket/Models/BasketsModelAbstract.php
+++ b/modules/basket/Models/BasketsModelAbstract.php
@@ -14,6 +14,7 @@
*/
require_once 'apps/maarch_entreprise/services/Table.php';
+require_once 'core/class/SecurityControler.php';
class BasketsModelAbstract extends Apps_Table_Service {
@@ -35,7 +36,8 @@ class BasketsModelAbstract extends Apps_Table_Service {
return [];
}
- $where = str_replace('@user', "'" .$_SESSION['user']['UserId']. "'", $aBasket[0]['basket_clause']);
+ $sec = new SecurityControler();
+ $where = $sec->process_security_where_clause($aBasket[0]['basket_clause'], $_SESSION['user']['UserId'], false);
$aResList = static::select(
[
--
GitLab