From 547505f7d83c09465861d2bd93cb070dc4cbb676 Mon Sep 17 00:00:00 2001
From: Jens Ulferts <j.ulferts@finn.de>
Date: Fri, 1 Mar 2013 09:35:48 +0100
Subject: [PATCH] limits entries to those with user_id beeing id of current
 user for own permission

Otherwise entries from other users will be returned even if the user only has the right to view own entries
---
 app/models/cost_query/filter/permission_filter.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/models/cost_query/filter/permission_filter.rb b/app/models/cost_query/filter/permission_filter.rb
index d8bd5f12f6..958db9a802 100644
--- a/app/models/cost_query/filter/permission_filter.rb
+++ b/app/models/cost_query/filter/permission_filter.rb
@@ -11,7 +11,7 @@ class CostQuery::Filter::PermissionFilter < CostQuery::Filter::Base
   end
 
   def permission_for(type)
-    "(#{permission_statement :"view_own_#{type}_entries"} " \
+    "((#{permission_statement :"view_own_#{type}_entries"} AND user_id = #{User.current.id}) " \
     "OR #{permission_statement :"view_#{type}_entries"})"
   end