Commit 6812cd85 authored by cedric's avatar cedric Committed by oadaeh

Issue #2033161 by cedric, dgtlmoon, ptmkenny, Berdir, rfay:...

Issue #2033161 by cedric, dgtlmoon, ptmkenny, Berdir, rfay: privatemsg_thread_load returns messages from all other threads when no access to requested thread
parent c4226e68
......@@ -545,7 +545,9 @@ function privatemsg_thread_load($thread_id, $account = NULL, $start = NULL, $use
$conditions['account'] = $account;
}
// #2033161 privatemsg_message_load_multiple will load all threads if empty
// If the $ids parameter is empty, privatemsg_message_load_multiple will
// load all threads.
// @see https://drupal.org/node/2033161
$ids = $query->execute()->fetchCol();
if (count($ids)) {
$thread['messages'] = privatemsg_message_load_multiple($ids, $conditions);
......
......@@ -85,6 +85,11 @@ class PrivatemsgTestCase extends PrivatemsgBaseTestCase {
$subject = $this->randomName(20);
$body = $this->randomName(50);
// Make sure that $no_recipient is involved in another thread to assert that
// no unrelated messages are displayed.
// @see https://drupal.org/node/2033161
$unrelated = privatemsg_new_thread(array($no_recipient), $subject, $body, array('author' => $author));
$response = privatemsg_new_thread(array($recipient), $subject, $body, array('author' => $author));
$this->drupalLogin($user_no_read_msg);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment