Merge pull request #2132 from greenbone/GEA-477_user_cant_see_results

Fix: Handle permission clause for result permissions.
greenbone · Feb 9, 2024 · e9a6d99 · e9a6d99
2 parents e66a7ac + c214ddc
commit e9a6d99
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/src/manage_acl.c b/src/manage_acl.c
@@ -1143,13 +1143,14 @@ acl_where_owned_user (const char *user_id, const char *user_sql,
           else if (strcmp (type, "result") == 0)
             permission_clause
              = g_strdup_printf ("%s"
-                                " OR results%s.task IN"
+                                " OR EXISTS"
                                 " (SELECT id FROM %spermissions_subject"
-                                "  WHERE resource_type = 'task'"
+                                "  WHERE resource = results%s.task"
+                                "  AND resource_type = 'task'"
                                 "  AND (%s))",
                                 clause,
-                                get->trash ? "_trash" : "",
                                 with_prefix ? with_prefix : "",
+                                get->trash ? "_trash" : "",
                                 permission_or->str);
 
           if ((strcmp (type, "report") == 0)