diff options
Diffstat (limited to 'classes')
| -rw-r--r-- | classes/Article.php | 12 | ||||
| -rw-r--r-- | classes/Feeds.php | 26 | ||||
| -rw-r--r-- | classes/Pref_Filters.php | 9 |
3 files changed, 29 insertions, 18 deletions
diff --git a/classes/Article.php b/classes/Article.php index e939298bc..c85697d6e 100644 --- a/classes/Article.php +++ b/classes/Article.php @@ -657,8 +657,10 @@ class Article extends Handler_Protected { $entries = ORM::for_table('ttrss_entries') ->table_alias('e') - ->join('ttrss_user_entries', ['ref_id', '=', 'id'], 'ue') - ->where_in('id', $article_ids) + ->select('ue.label_cache') + ->join('ttrss_user_entries', ['ue.ref_id', '=', 'e.id'], 'ue') + ->where_in('e.id', $article_ids) + ->where('ue.owner_uid', $_SESSION['uid']) ->find_many(); $rv = []; @@ -687,8 +689,10 @@ class Article extends Handler_Protected { $entries = ORM::for_table('ttrss_entries') ->table_alias('e') - ->join('ttrss_user_entries', ['ref_id', '=', 'id'], 'ue') - ->where_in('id', $article_ids) + ->select('ue.feed_id') + ->join('ttrss_user_entries', ['ue.ref_id', '=', 'e.id'], 'ue') + ->where_in('e.id', $article_ids) + ->where('ue.owner_uid', $_SESSION['uid']) ->find_many(); $rv = []; diff --git a/classes/Feeds.php b/classes/Feeds.php index 7781d748f..16f71ff4c 100644 --- a/classes/Feeds.php +++ b/classes/Feeds.php @@ -580,6 +580,7 @@ class Feeds extends Handler_Protected { function opensite(): void { $feed = ORM::for_table('ttrss_feeds') + ->where('owner_uid', $_SESSION['uid']) ->find_one((int)$_REQUEST['feed_id']); if ($feed) { @@ -1198,25 +1199,21 @@ class Feeds extends Handler_Protected { $label_id = Labels::feed_to_label_id($id); - $sth = $pdo->prepare("SELECT caption FROM ttrss_labels2 WHERE id = ?"); - $sth->execute([$label_id]); + $label = ORM::for_table('ttrss_labels2') + ->select('caption') + ->where('owner_uid', $_SESSION['uid']) + ->find_one($label_id); - if ($row = $sth->fetch()) { - return $row["caption"]; - } else { - return "Unknown label ($label_id)"; - } + return $label ? $label->caption : "Unknown label ($label_id)"; } else if (is_numeric($id) && $id > 0) { - $sth = $pdo->prepare("SELECT title FROM ttrss_feeds WHERE id = ?"); - $sth->execute([$id]); + $feed = ORM::for_table('ttrss_feeds') + ->select('title') + ->where('owner_uid', $_SESSION['uid']) + ->find_one($id); - if ($row = $sth->fetch()) { - return $row["title"]; - } else { - return "Unknown feed ($id)"; - } + return $feed ? $feed->title : "Unknown feed ($id)"; } else { return "$id"; @@ -1358,6 +1355,7 @@ class Feeds extends Handler_Protected { return __("Labels"); default: $cat = ORM::for_table('ttrss_feed_categories') + ->where('owner_uid', $_SESSION['uid']) ->find_one($cat_id); if ($cat) { diff --git a/classes/Pref_Filters.php b/classes/Pref_Filters.php index e16a88e5a..76790f30c 100644 --- a/classes/Pref_Filters.php +++ b/classes/Pref_Filters.php @@ -871,6 +871,15 @@ class Pref_Filters extends Handler_Protected { /** @var array<int, int> */ $ids = array_map("intval", explode(",", clean($_REQUEST["ids"]))); + // fail early if any provided filter IDs aren't owned by the current user + $unowned_filter_count = ORM::for_table('ttrss_filters2') + ->where_in('id', $ids) + ->where_not_equal('owner_uid', $_SESSION['uid']) + ->count(); + + if ($unowned_filter_count) + return; + if (count($ids) > 1) { $base_id = array_shift($ids); $ids_qmarks = arr_qmarks($ids); |