FIX #17671 TIME 0:05 checking hardDelete privilege before search

18e63c6c · Jean-Laurent DUZANT · 98cdcec1 · 18e63c6c
Commit 18e63c6c authored 2 years ago by Jean-Laurent DUZANT
--- a/src/app/search/controllers/SearchController.php
+++ b/src/app/search/controllers/SearchController.php
@@ -36,7 +36,7 @@ class SearchController
        $queryParams['softDeleted'] = empty($queryParams['softDeleted']) ? false : $queryParams['softDeleted'] == 'true';
        $queryParams['hardDeleted'] = empty($queryParams['hardDeleted']) ? false : $queryParams['hardDeleted'] == 'true';

-        if ($queryParams['softDeleted'] && !PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'can_purge'])) {
+        if (($queryParams['softDeleted'] || $queryParams['softDeleted']) && !PrivilegeController::hasPrivilege(['userId' => $GLOBALS['id'], 'privilege' => 'can_purge'])) {
            return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
        }