From 21dcac3e4a46a39d7f93817a6f481471e034999a Mon Sep 17 00:00:00 2001 From: Fred Gleason Date: Fri, 13 Jan 2017 19:03:22 -0500 Subject: [PATCH] 2017-01-13 Fred Gleason * Fixed a bug in 'lib/rduser.cpp' that caused the 'RDUser::groupAuthorized()' to return false positive results. --- ChangeLog | 3 +++ lib/rduser.cpp | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index f67e2e9d..ff602f95 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15507,3 +15507,6 @@ * Fixed a bug in 'rdlogedit/edit_log.cpp' that caused the Modified datestamp to be updated when 'OK' was clicked even if no changes were made. +2017-01-13 Fred Gleason + * Fixed a bug in 'lib/rduser.cpp' that caused the + 'RDUser::groupAuthorized()' to return false positive results. diff --git a/lib/rduser.cpp b/lib/rduser.cpp index 5d7ee73e..a4d45727 100644 --- a/lib/rduser.cpp +++ b/lib/rduser.cpp @@ -390,9 +390,9 @@ bool RDUser::groupAuthorized(const QString &group_name) RDSqlQuery *q; bool ret=false; - sql=QString(). - sprintf("select GROUP_NAME from USER_PERMS where USER_NAME=\"%s\"", - (const char *)RDEscapeString(user_name)); + sql=QString("select GROUP_NAME from USER_PERMS where ")+ + "(USER_NAME=\""+RDEscapeString(user_name)+"\")&&"+ + "(GROUP_NAME=\""+RDEscapeString(group_name)+"\")"; q=new RDSqlQuery(sql); ret=q->first(); delete q;