>
> > $article = mgd_list_ropic_articles($my_topic->id);
> > while (article->fetch()) {
> > $a = mgd_get_article($id);
> > <a href=&(a.id);?action=someaction> }
>
> Shouldn't that be:
>
> $article = mgd_list_ropic_articles($my_topic->id);
> while ($article->fetch()) {
> ?><a href="&(article.id);?action=someaction"><?
> }
>
It naturally depends, if you need to whole article record or just the
parts which you get with list topic articles... Of course in this
example that would be enough.
> > and there is no problem to see what is in url and type in browser
> > any number. For example 1 or 2 or 3 which points to other
> > articles, which can not be shown.
>
As I undestand the problem it's that since we do a http get the URI is
shown on the browser, now anyone can change the article id and thus see
articles they should not.
Since in midgard by default everyone has read rights to articles we need
to have checks in the active page that shows the articles. One good
check might be that it only shows articles that are part of the 'public'
topic tree if no-one is logged in [if a bot user is used fore saving
data from forms etc remember to make sure it has a check too], another
good check might be that if the account logged in is not a member of the
topic owner group and the topic is part of the 'private' tree then the
article is now shown.
/Rambo
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
