From d27fc4917f5d936588b2f3f4fd1750981b403b08 Mon Sep 17 00:00:00 2001
From: Roy Johnson <roy.l.johnson@gmail.com>
Date: Wed, 28 Jun 2006 19:13:44 +0000
Subject: [PATCH] fix - Secure the search function

---
 docs/changelog/7.x.x.txt           | 1 +
 lib/WebGUI/Asset/Wobject/Search.pm | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/docs/changelog/7.x.x.txt b/docs/changelog/7.x.x.txt
index f466be791..cf1be3add 100644
--- a/docs/changelog/7.x.x.txt
+++ b/docs/changelog/7.x.x.txt
@@ -9,4 +9,5 @@
  - fix: Search returns not restricted to chosen path or asset type
  - fix: Product Asset - specification labels not showing
  - fix: Folders displayed for underprivileged users (wouter / Procolix)
+ - fix: Secure the search function
 
diff --git a/lib/WebGUI/Asset/Wobject/Search.pm b/lib/WebGUI/Asset/Wobject/Search.pm
index 96492fd56..d6018bdf5 100644
--- a/lib/WebGUI/Asset/Wobject/Search.pm
+++ b/lib/WebGUI/Asset/Wobject/Search.pm
@@ -141,12 +141,13 @@ sub view {
 		my @results = ();
 		my $rs = $search->getResultSet;
 		while (my $data = $rs->hashRef) {
-			next unless ($self->session->user->userId eq $data->{ownerUserId} || $self->session->user->isInGroup($data->{groupIdView}) || $self->session->user->isInGroup($data->{groupIdEdit}));
-			push(@results, {
+			if ($self->session->user->userId eq $data->{ownerUserId} || $self->session->user->isInGroup($data->{groupIdView}) || $self->session->user->isInGroup($data->{groupIdEdit})) {
+			 push(@results, {
 				url=>$data->{url},
 				title=>$data->{title},
 				synposis=>$data->{synopsis},
 				});
+			}
 		} 
 		my $p = WebGUI::Paginator->new($self->session,$self->getUrl('doit=1;keywords='.$self->session->url->escape($self->session->form->get('keywords'))));
 		$p->setDataByArrayRef(\@results);