From 894d284309378efd8b9e18ffd067579df6869c3f Mon Sep 17 00:00:00 2001 From: Kailash Nadh Date: Tue, 12 Nov 2024 22:59:33 +0530 Subject: [PATCH] Fix GET subscribers not filtering by list permissions. Closes #2129. --- cmd/subscribers.go | 15 +++++++++++---- internal/core/subscribers.go | 2 +- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/cmd/subscribers.go b/cmd/subscribers.go index f366f67c7..5497cbb41 100644 --- a/cmd/subscribers.go +++ b/cmd/subscribers.go @@ -706,11 +706,18 @@ func filterListQeryByPerm(qp url.Values, user models.User, app *App) ([]int, err } listIDs = user.FilterListsByPerm(ids, true, true) - } else { - // There are no incoming params. If the user doesn't have permission to get all subscribers, - // filter by the lists they have access to. + } + + // There are no incoming params. If the user doesn't have permission to get all subscribers, + // filter by the lists they have access to. + if len(listIDs) == 0 { if _, ok := user.PermissionsMap[models.PermSubscribersGetAll]; !ok { - listIDs = user.GetListIDs + if len(user.GetListIDs) > 0 { + listIDs = user.GetListIDs + } else { + // User doesn't have access to any lists. + listIDs = []int{-1} + } } } diff --git a/internal/core/subscribers.go b/internal/core/subscribers.go index d49e82855..5415ef4de 100644 --- a/internal/core/subscribers.go +++ b/internal/core/subscribers.go @@ -120,7 +120,7 @@ func (c *Core) QuerySubscribers(query string, listIDs []int, subStatus string, o } // Run the query again and fetch the actual data. stmt is the raw SQL query. - var out models.Subscribers + out := models.Subscribers{} stmt := fmt.Sprintf(c.q.QuerySubscribersCount, cond) stmt = strings.ReplaceAll(c.q.QuerySubscribers, "%query%", cond) stmt = strings.ReplaceAll(stmt, "%order%", orderBy+" "+order)