From 7f991e848042fe43849d4e2e31bbf9c7ff3afce3 Mon Sep 17 00:00:00 2001
From: Andreas Fischer <bantu@phpbb.com>
Date: Fri, 5 Mar 2010 18:51:30 +0100
Subject: [PATCH 1/2] Fix Bug #58595 - ATOM Feed exposes forum content under
 some circumstances.

---
 phpBB/docs/CHANGELOG.html | 1 +
 phpBB/feed.php            | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html
index 3042027e83..112e8451cd 100644
--- a/phpBB/docs/CHANGELOG.html
+++ b/phpBB/docs/CHANGELOG.html
@@ -99,6 +99,7 @@
 		<li>[Fix] Add terminating semicolons to JavaScript code. (Bug #58085 - Patch by nn-)</li>
 		<li>[Fix] Minor language fixes. (Bug #54855)</li>
 		<li>[Fix] Parsing urls in signatures properly uses config settings. (Bug #57105)</li>
+		<li>[Fix] Do not expose forum content of forums with ACL entries but no actual permission in ATOM Feeds. (Bug #58595)</li>
 		<li>[Feature] Support for Microsoft's Native SQL Server Driver for PHP (Bug #57055 - Patch by Chris Pucci at Microsoft)</li>
 	</ul>
 
diff --git a/phpBB/feed.php b/phpBB/feed.php
index 1832efbc61..a42aa42a7f 100644
--- a/phpBB/feed.php
+++ b/phpBB/feed.php
@@ -522,7 +522,7 @@ class phpbb_feed_base
 
 		if (!isset($forum_ids))
 		{
-			$forum_ids = array_keys($auth->acl_getf('f_read'));
+			$forum_ids = array_keys($auth->acl_getf('f_read', true));
 		}
 
 		return $forum_ids;

From f0a82396d48829a623ca716dc8c7d95e6aed2941 Mon Sep 17 00:00:00 2001
From: Nils Adermann <naderman@naderman.de>
Date: Fri, 5 Mar 2010 20:50:56 +0100
Subject: [PATCH 2/2] Mark the bugfix #58595 as a security fix

---
 phpBB/docs/CHANGELOG.html | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html
index 112e8451cd..0897328949 100644
--- a/phpBB/docs/CHANGELOG.html
+++ b/phpBB/docs/CHANGELOG.html
@@ -53,6 +53,7 @@
 <ol>
 	<li><a href="#changelog">Changelog</a>
 	<ol style="list-style-type: lower-roman;">
+		<li><a href="#v307">Changes since 3.0.7-PL1</a></li>
 		<li><a href="#v307">Changes since 3.0.7</a></li>
 		<li><a href="#v306">Changes since 3.0.6</a></li>
 		<li><a href="#v305">Changes since 3.0.5</a></li>
@@ -88,7 +89,7 @@
 
 		<div class="content">
 
-	<a name="v307"></a><h3>1.i. Changes since 3.0.7</h3>
+	<a name="v307-pl1"></a><h3>1.i. Changes since 3.0.7-PL1</h3>
 
 	<ul>
 		<li>[Fix] Correctly sort database backup file list by date on database restore page. (Bug #57385)</li>
@@ -99,10 +100,15 @@
 		<li>[Fix] Add terminating semicolons to JavaScript code. (Bug #58085 - Patch by nn-)</li>
 		<li>[Fix] Minor language fixes. (Bug #54855)</li>
 		<li>[Fix] Parsing urls in signatures properly uses config settings. (Bug #57105)</li>
-		<li>[Fix] Do not expose forum content of forums with ACL entries but no actual permission in ATOM Feeds. (Bug #58595)</li>
 		<li>[Feature] Support for Microsoft's Native SQL Server Driver for PHP (Bug #57055 - Patch by Chris Pucci at Microsoft)</li>
 	</ul>
 
+	<a name="v307"></a><h3>1.i. Changes since 3.0.7</h3>
+
+	<ul>
+		<li>[Sec] Do not expose forum content of forums with ACL entries but no actual permission in ATOM Feeds. (Bug #58595)</li>
+	</ul>
+
 	<a name="v306"></a><h3>1.ii. Changes since 3.0.6</h3>
 
 	<ul>