limits entries to those with user_id beeing id of current user for own permission

Otherwise entries from other users will be returned even if the user only has the right to view own entries
12 years ago · 547505f7d8
parent 8862738b2c
commit 547505f7d8
1 changed files with 1 additions and 1 deletions
--- a/app/models/cost_query/filter/permission_filter.rb
+++ b/app/models/cost_query/filter/permission_filter.rb
@ -11,7 +11,7 @@ class CostQuery::Filter::PermissionFilter < CostQuery::Filter::Base
  end

  def permission_for(type)
-    "(#{permission_statement :"view_own_#{type}_entries"} " \
+    "((#{permission_statement :"view_own_#{type}_entries"} AND user_id = #{User.current.id}) " \
    "OR #{permission_statement :"view_#{type}_entries"})"
  end