knadh/listmonk
1
1
Fork 0
mirror of https://github.com/knadh/listmonk.git synced 2025-10-04 04:14:43 +08:00
Code Issues Projects Releases Packages Wiki Activity

Fix GET subscribers not filtering by list permissions. Closes #2129.

Browse source
This commit is contained in:
Kailash Nadh 2024-11-12 22:59:33 +05:30
parent 8b213f0996
commit 894d284309
2 changed files with 12 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
cmd/subscribers.go
View file

@ -706,11 +706,18 @@ func filterListQeryByPerm(qp url.Values, user models.User, app *App) ([]int, err
}
listIDs = user.FilterListsByPerm(ids, true, true)
} else {
// There are no incoming params. If the user doesn't have permission to get all subscribers,
// filter by the lists they have access to.
}
// There are no incoming params. If the user doesn't have permission to get all subscribers,
// filter by the lists they have access to.
if len(listIDs) == 0 {
if _, ok := user.PermissionsMap[models.PermSubscribersGetAll]; !ok {
listIDs = user.GetListIDs
if len(user.GetListIDs) > 0 {
listIDs = user.GetListIDs
} else {
// User doesn't have access to any lists.
listIDs = []int{-1}
}
}
}

2
internal/core/subscribers.go
View file

@ -120,7 +120,7 @@ func (c *Core) QuerySubscribers(query string, listIDs []int, subStatus string, o
}
// Run the query again and fetch the actual data. stmt is the raw SQL query.
var out models.Subscribers
out := models.Subscribers{}
stmt := fmt.Sprintf(c.q.QuerySubscribersCount, cond)
stmt = strings.ReplaceAll(c.q.QuerySubscribers, "%query%", cond)
stmt = strings.ReplaceAll(stmt, "%order%", orderBy+" "+order)