From cb6b7175314f15074e053ca80fef10e5c9b82094 Mon Sep 17 00:00:00 2001
From: Franck Villaume <franck.villaume@trivialdev.com>
Date: Sat, 2 Jul 2022 19:13:57 +0200
Subject: [PATCH] fix permission access: display news to ppl with correct
 rights

---
 src/www/news/news_utils.php | 183 ++++++++++++++++++------------------
 1 file changed, 92 insertions(+), 91 deletions(-)

diff --git a/src/www/news/news_utils.php b/src/www/news/news_utils.php
index 5c89907fae..0d548c92e7 100644
--- a/src/www/news/news_utils.php
+++ b/src/www/news/news_utils.php
@@ -5,7 +5,7 @@
  * Copyright 1999-2001 (c) VA Linux Systems
  * Copyright 2002-2004 (c) GForge Team
  * Copyright (C) 2011 Alain Peyrat - Alcatel-Lucent
- * Copyright 2017,2019, Franck Villaume - TrivialDev
+ * Copyright 2017,2019,2022, Franck Villaume - TrivialDev
  * http://fusionforge.org/
  *
  * This file is part of FusionForge. FusionForge is free software;
@@ -99,10 +99,10 @@ function news_show_latest($group_id = 0, $limit = 10, $show_summaries = true, $a
 				users.user_name, users.realname, users.user_id,
 				news_bytes.forum_id, news_bytes.summary, news_bytes.post_date,
 				news_bytes.details,forum_group_list.forum_name
-                FROM users
-                  JOIN news_bytes ON (users.user_id=news_bytes.submitted_by)
-                  JOIN groups ON (news_bytes.group_id=groups.group_id)
-                  LEFT OUTER JOIN forum_group_list ON news_bytes.forum_id = forum_group_list.group_forum_id
+				FROM users
+				JOIN news_bytes ON (users.user_id=news_bytes.submitted_by)
+				JOIN groups ON (news_bytes.group_id=groups.group_id)
+				LEFT OUTER JOIN forum_group_list ON news_bytes.forum_id = forum_group_list.group_forum_id
 				WHERE (news_bytes.group_id=$1 AND news_bytes.is_approved <> 4 OR 1!=$2)
 				AND (news_bytes.is_approved=1 OR 1 != $3)
 				AND groups.status=$4
@@ -112,100 +112,104 @@ function news_show_latest($group_id = 0, $limit = 10, $show_summaries = true, $a
 					$group_id != GROUP_IS_NEWS ? 0 : 1,
 					'A'),
 					$l);
-	$rows=db_numrows($result);
 
 	$return = '';
-
-	if (!$result || $rows < 1) {
+	if (!$result) {
 		$return .= $HTML->warning_msg(_('No news found.'));
 		$return .= db_error();
 	} else {
-		for ($i=0; $i<$rows; $i++) {
-			$t_thread_title = db_result($result,$i,'summary');
-			$t_thread_url = "/forum/forum.php?forum_id=" . db_result($result,$i,'forum_id');
-			$t_thread_author = util_display_user(db_result($result,$i,'user_name'), db_result($result,$i,'user_id'), db_result($result,$i,'realname'));
-
-			$return .= '<div class="one-news bordure-dessous">';
-			$return .= "\n";
-			if ($show_summaries && $limit) {
-				//get the first paragraph of the story
-				if (strstr(db_result($result,$i,'details'),'<br/>')) {
-					// the news is html, fckeditor made for example
-					$arr=explode("<br/>",db_result($result,$i,'details'));
+		$rows = db_numrows($result);
+		for ($i = 0; $i < $rows; $i++) {
+			if (forge_check_perm('project_read', db_result($result, $i, 'group_id'))) {
+				$t_thread_title = db_result($result,$i,'summary');
+				$t_thread_url = "/forum/forum.php?forum_id=" . db_result($result,$i,'forum_id');
+				$t_thread_author = util_display_user(db_result($result,$i,'user_name'), db_result($result,$i,'user_id'), db_result($result,$i,'realname'));
+
+				$return .= '<div class="one-news bordure-dessous">';
+				$return .= "\n";
+				if ($show_summaries && $limit) {
+					//get the first paragraph of the story
+					if (strstr(db_result($result,$i,'details'),'<br/>')) {
+						// the news is html, fckeditor made for example
+						$arr=explode("<br/>",db_result($result,$i,'details'));
+					} else {
+						$arr=explode("\n",db_result($result,$i,'details'));
+					}
+					$summ_txt=util_make_links( $arr[0] );
+					$summ_txt = util_gen_cross_ref($summ_txt);
+					$proj_name=util_make_link_g (strtolower(db_result($result,$i,'unix_group_name')),db_result($result,$i,'group_id'),db_result($result,$i,'group_name'));
 				} else {
-					$arr=explode("\n",db_result($result,$i,'details'));
+					$proj_name='';
+					$summ_txt='';
 				}
-				$summ_txt=util_make_links( $arr[0] );
-				$summ_txt = util_gen_cross_ref($summ_txt);
-				$proj_name=util_make_link_g (strtolower(db_result($result,$i,'unix_group_name')),db_result($result,$i,'group_id'),db_result($result,$i,'group_name'));
-			} else {
-				$proj_name='';
-				$summ_txt='';
-			}
 
-            $forum_exists = False;
-            if (db_result($result,$i,'forum_name')) {
-                    $forum_exists = True;
-            }
-
-			if (!$limit) {
-				if ($show_forum && $forum_exists) {
-					$return .= '<h3>'.util_make_link ($t_thread_url, $t_thread_title).'</h3>';
-				} else {
-					$return .= '<h3>'. $t_thread_title . '</h3>';
-				}
-				$return .= ' &nbsp; <em>'. date(_('Y-m-d H:i'),db_result($result,$i,'post_date')).'</em><br />';
-			} else {
-				if ($show_forum && $forum_exists) {
-					$return .= '<h3>'.util_make_link ($t_thread_url, $t_thread_title).'</h3>';
-				} else {
-					$return .= '<h3>'. $t_thread_title . '</h3>';
-				}
-				$return .= '<div class="box">';
-				$return .= $t_thread_author;
-				$return .= '&nbsp;-&nbsp;';
-				$return .= relative_date(db_result($result,$i,'post_date'));
-				$return .= '&nbsp;-&nbsp;';
-				$return .= $proj_name ;
-				$return .= "</div>\n";
-
-				if ($summ_txt != "") {
-					$return .= '<p>'.$summ_txt.'</p>';
+				$forum_exists = False;
+				if (db_result($result,$i,'forum_name')) {
+					$forum_exists = True;
 				}
 
-				$res2 = db_query_params ('SELECT total FROM forum_group_list_vw WHERE group_forum_id=$1',
-							 array (db_result($result,$i,'forum_id')));
-				$num_comments = db_result($res2,0,'total');
-
-				if (!$num_comments) {
-					$num_comments = '0';
-				}
-
-				if ($num_comments <= 1) {
-					$comments_txt = _('Comment');
+				if (!$limit) {
+					if ($show_forum && $forum_exists) {
+						$return .= '<h3>'.util_make_link ($t_thread_url, $t_thread_title).'</h3>';
+					} else {
+						$return .= '<h3>'. $t_thread_title . '</h3>';
+					}
+					$return .= ' &nbsp; <em>'. date(_('Y-m-d H:i'),db_result($result,$i,'post_date')).'</em><br />';
 				} else {
-					$comments_txt = _('Comments');
+					if ($show_forum && $forum_exists) {
+						$return .= '<h3>'.util_make_link ($t_thread_url, $t_thread_title).'</h3>';
+					} else {
+						$return .= '<h3>'. $t_thread_title . '</h3>';
+					}
+					$return .= '<div class="box">';
+					$return .= $t_thread_author;
+					$return .= '&nbsp;-&nbsp;';
+					$return .= relative_date(db_result($result,$i,'post_date'));
+					$return .= '&nbsp;-&nbsp;';
+					$return .= $proj_name ;
+					$return .= "</div>\n";
+
+					if ($summ_txt != "") {
+						$return .= '<p>'.$summ_txt.'</p>';
+					}
+
+					$res2 = db_query_params ('SELECT total FROM forum_group_list_vw WHERE group_forum_id=$1',
+								array (db_result($result,$i,'forum_id')));
+					$num_comments = db_result($res2,0,'total');
+
+					if (!$num_comments) {
+						$num_comments = '0';
+					}
+
+					if ($num_comments <= 1) {
+						$comments_txt = _('Comment');
+					} else {
+						$comments_txt = _('Comments');
+					}
+
+					if ($show_forum) {
+						$link_text = _('Read More/Comment') ;
+						$extra_params = array( 'class'      => 'dot-link',
+									'title'      => $link_text . ' ' . $t_thread_title);
+						$return .= "\n";
+						$return .= '<div>' . $num_comments .' '. $comments_txt .' ';
+						$return .= util_make_link ($t_thread_url, $link_text, $extra_params);
+						$return .= '</div>';
+					} else {
+						$return .= '';
+					}
 				}
 
-				if ($show_forum) {
-					$link_text = _('Read More/Comment') ;
-					$extra_params = array( 'class'      => 'dot-link',
-					             		   'title'      => $link_text . ' ' . $t_thread_title);
-					$return .= "\n";
-					$return .= '<div>' . $num_comments .' '. $comments_txt .' ';
-					$return .= util_make_link ($t_thread_url, $link_text, $extra_params);
-					$return .= '</div>';
-				} else {
-					$return .= '';
+				if ($limit) {
+					$limit--;
 				}
+				$return .= "\n";
+				$return .= '</div><!-- class="one-news" -->';
+				$return .= "\n\n";
 			}
-
-			if ($limit) {
-				$limit--;
-			}
-			$return .= "\n";
-			$return .= '</div><!-- class="one-news" -->';
-			$return .= "\n\n";
+		}
+		if (!strlen($return)) {
+			$return .= $HTML->warning_msg(_('No news found.'));
 		}
 
 		if ($group_id != GROUP_IS_NEWS) {
@@ -220,14 +224,11 @@ function news_show_latest($group_id = 0, $limit = 10, $show_summaries = true, $a
 				$return .= '<div>...</div>';
 			}
 		}
-	}
-	if ($allow_submit && $group_id != GROUP_IS_NEWS) {
-		if(!$result || $rows < 1) {
-			$return .= '';
+		if ($allow_submit && $group_id != GROUP_IS_NEWS) {
+			//you can only submit news from a project now
+			//you used to be able to submit general news
+			$return .= '<div>' . util_make_link ('/news/submit.php?group_id='.$group_id, _('Submit News')).'</div>';
 		}
-		//you can only submit news from a project now
-		//you used to be able to submit general news
-		$return .= '<div>' . util_make_link ('/news/submit.php?group_id='.$group_id, _('Submit News')).'</div>';
 	}
 	return $return;
 }
-- 
2.30.2