From bb6b022d7c86f1881c518a9216f82bb9f5a92591 Mon Sep 17 00:00:00 2001
From: "Committo,Ergo:sum" <esj@rezo.net>
Date: Mon, 14 Jan 2008 13:01:58 +0000
Subject: [PATCH] =?UTF-8?q?D'accord=20avec=20[10998]=C2=A0pour=20que=20l'a?=
 =?UTF-8?q?cc=C3=A8s=20aux=20documents=20soit=20donn=C3=A9e=20par=20une=20?=
 =?UTF-8?q?cl=C3=A9=20en=20amont=20(d'autant=20que=20=C3=A7a=20=C3=A9vite?=
 =?UTF-8?q?=20de=20produire=20des=20icones=20menant=20syst=C3=A9matiquemen?=
 =?UTF-8?q?t=20=C3=A0=20un=20acc=C3=A8s=20interdit)=20mais=20du=20coup=20l?=
 =?UTF-8?q?e=20autoriser=5Fdocument=5Fvoir=20devait=20y=20migrer=20aussi?=
 =?UTF-8?q?=20plutot=20que=20de=20disparaitre=20compl=C3=A8tement.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ecrire/inc/autoriser.php |  3 +++
 ecrire/inc/documents.php | 33 +++++++++++++++++----------------
 2 files changed, 20 insertions(+), 16 deletions(-)

diff --git a/ecrire/inc/autoriser.php b/ecrire/inc/autoriser.php
index aab3333ae1..5f5aabce1d 100644
--- a/ecrire/inc/autoriser.php
+++ b/ecrire/inc/autoriser.php
@@ -519,6 +519,9 @@ function autoriser_chargerftp_dist($faire, $type, $id, $qui, $opt) {
 //
 // http://doc.spip.org/@autoriser_document_voir_dist
 function autoriser_document_voir_dist($faire, $type, $id, $qui, $opt) {
+
+	if (($id = intval($id)) <= 0) return false;
+
 	if ($GLOBALS['meta']["creer_htaccess"] != 'oui')
 		return true;
 
diff --git a/ecrire/inc/documents.php b/ecrire/inc/documents.php
index 1287076de8..3fcaacd004 100644
--- a/ecrire/inc/documents.php
+++ b/ecrire/inc/documents.php
@@ -14,8 +14,6 @@ if (!defined("_ECRIRE_INC_VERSION")) return;
 
 include_spip('inc/actions'); // *action_auteur et determine_upload
 include_spip('inc/date');
-include_spip('base/abstract_sql');
-
 
 // donne le chemin du fichier relatif a _DIR_IMG
 // pour stockage 'tel quel' dans la base de donnees
@@ -55,24 +53,27 @@ function contenu_document($id_document)
 
 // http://doc.spip.org/@generer_url_document_dist
 function generer_url_document_dist($id_document, $args='', $ancre='') {
-	if (intval($id_document) <= 0)
-		return '';
+
+	include_spip('inc/autoriser');
+	if (!autoriser('voir', 'document', $id_document)) return '';
+
 	$row = sql_fetsel("fichier,distant", "spip_documents", "id_document=".sql_quote($id_document));
+
 	if (!$row) return '';
-	// Cette variable de configuration peut etre posee par un plugin
-	// par exemple acces_restreint
-	if ($GLOBALS['meta']["creer_htaccess"] == 'oui'
-	AND $row['distant'] != 'oui') {
-		include_spip('inc/securiser_action');
-		$args .= ($args ? "&" : '')
+
+	$f = $row['fichier'];
+
+	if ($row['distant'] == 'oui') return get_spip_doc($f);
+
+	include_spip('inc/securiser_action');
+
+	return generer_url_action('acceder_document', 
+		$args . ($args ? "&" : '')
 			. 'arg='.$id_document
 			. ($ancre ? "&ancre=$ancre" : '')
-			. '&cle=' . calculer_cle_action($id_document.','.$row['fichier'])
-			. '&file=' . rawurlencode($row['fichier'])
-			;
-		return generer_url_action('acceder_document', $args);
-	} else
-		return get_spip_doc($row['fichier']);
+			. '&cle=' . calculer_cle_action($id_document.','.$f)
+			. '&file=' . rawurlencode($f)
+				  );
 }
 
 //
-- 
GitLab