I think I've come across a bug with the permissions and anonymous users.
You have 3 categories and each of those categories can only be viewed by certain groups:
Category 1 -> Registered Users
Category 2 -> Registered Users
Category 3 -> Anonymous Users
Logout of the system and go to the documents section. All three categories are visible even though only category 3 should be visible.
I looked in the functions.php file and came to the conclusion that the $usersid field being passed into the checkMyDownloadsPermission($groupid, $usersid) function is null. This is because no specific users permission were set for that category, only group permissions were set. This makes sense.
Then, you set the $uid null because the current user is anonymous. This also makes sense.
The problem comes further down, around line 120 in functions.php. There is the following block of code:
for ($i=0; $i<count($usersid); $i++) {
//echo $usersid[$i];
if ($usersid[$i]==$uid) {
return true;
}
}
return false;
Since both $userid and $uid are null, this block of code will return true, which indicates that the anonymous user DOES have permission to access the category. Since these two fields will always be null, the anonymous user gets to see all categories. In addition, the $usersid will ALWAYS be null or empty in this case because you can't assign an anonymous user to a category. You can only assign the anonymous group to a category.
I was able to resolve the problem (I need to do some further testing though) by modifying the code of block above to look like this:
for ($i=0; $i<count($usersid); $i++) {
//echo $usersid[$i];
// HACK: CODE ADDED
if ($uid == null) {
return false;
}
// END HACK
if ($usersid[$i]==$uid) {
return true;
}
}
return false;
What this hack does it simply return false if we have a null user (anonymous) ensuring that the category is not shown.
I was hoping someone else can verify my findings. Please post here.
Thank you.
