From d41cf293e1609be9d0cc08e5ccd37947481e61ca Mon Sep 17 00:00:00 2001
From: Joas Schilling <nickvergessen@gmx.de>
Date: Thu, 14 Mar 2013 12:10:07 +0100
Subject: [PATCH] [ticket/9657] Check for post visibility when searching with
 Sphinx

This update will require admins to manually update their Sphinx config
file aswell as to delete the index and rebuild it from scratch. Before
this is done the search will not be usable anymore.

PHPBB3-9657
---
 phpBB/docs/sphinx.sample.conf             |  5 +++++
 phpBB/includes/search/fulltext_sphinx.php | 10 ++++++++--
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/phpBB/docs/sphinx.sample.conf b/phpBB/docs/sphinx.sample.conf
index fcaba6dcf3..179f06b2e5 100644
--- a/phpBB/docs/sphinx.sample.conf
+++ b/phpBB/docs/sphinx.sample.conf
@@ -19,6 +19,8 @@ source source_phpbb_{SPHINX_ID}_main
 							p.topic_id,
 \
 							p.poster_id,
+\
+							p.post_visibility,
 \
 							CASE WHEN p.post_id = t.topic_first_post_id THEN 1 ELSE 0 END as topic_first_post,
 \
@@ -47,6 +49,7 @@ source source_phpbb_{SPHINX_ID}_main
 	sql_attr_uint = forum_id
 	sql_attr_uint = topic_id
 	sql_attr_uint = poster_id
+	sql_attr_uint = post_visibility
 	sql_attr_bool = topic_first_post
 	sql_attr_bool = deleted
 	sql_attr_timestamp = post_time
@@ -66,6 +69,8 @@ source source_phpbb_{SPHINX_ID}_delta : source_phpbb_{SPHINX_ID}_main
 							p.topic_id,
 \
 							p.poster_id,
+\
+							p.post_visibility,
 \
 							CASE WHEN p.post_id = t.topic_first_post_id THEN 1 ELSE 0 END as topic_first_post,
 \
diff --git a/phpBB/includes/search/fulltext_sphinx.php b/phpBB/includes/search/fulltext_sphinx.php
index 441fb2583b..5d5e0ab8f9 100644
--- a/phpBB/includes/search/fulltext_sphinx.php
+++ b/phpBB/includes/search/fulltext_sphinx.php
@@ -274,6 +274,7 @@ class phpbb_search_fulltext_sphinx
 						p.forum_id,
 						p.topic_id,
 						p.poster_id,
+						p.post_visibility,
 						CASE WHEN p.post_id = t.topic_first_post_id THEN 1 ELSE 0 END as topic_first_post,
 						p.post_time,
 						p.post_subject,
@@ -291,6 +292,7 @@ class phpbb_search_fulltext_sphinx
 				array('sql_attr_uint',				'forum_id'),
 				array('sql_attr_uint',				'topic_id'),
 				array('sql_attr_uint',				'poster_id'),
+				array('sql_attr_uint',				'post_visibility'),
 				array('sql_attr_bool',				'topic_first_post'),
 				array('sql_attr_bool',				'deleted'),
 				array('sql_attr_timestamp'	,		'post_time'),
@@ -306,6 +308,7 @@ class phpbb_search_fulltext_sphinx
 						p.forum_id,
 						p.topic_id,
 						p.poster_id,
+						p.post_visibility,
 						CASE WHEN p.post_id = t.topic_first_post_id THEN 1 ELSE 0 END as topic_first_post,
 						p.post_time,
 						p.post_subject,
@@ -569,10 +572,13 @@ class phpbb_search_fulltext_sphinx
 			$this->sphinx->SetFilter('poster_id', $author_ary);
 		}
 
+		// As this is not simply possible at the moment, we limit the result to approved posts.
+		// This will make it impossible for moderators to search unapproved and softdeleted posts,
+		// but at least it will also cause the same for normal users.
+		$this->sphinx->SetFilter('post_visibility', array(ITEM_APPROVED));
+
 		if (sizeof($ex_fid_ary))
 		{
-			//@todo: Limit using $post_visibility
-
 			// All forums that a user is allowed to access
 			$fid_ary = array_unique(array_intersect(array_keys($this->auth->acl_getf('f_read', true)), array_keys($this->auth->acl_getf('f_search', true))));
 			// All forums that the user wants to and can search in