fix: do not let users export forbidden images

micgro42 · micgro42 · commit a9b4c5200581 · 2018-03-19T13:42:31.000+01:00
Setting `$file` to empty is neccessary, but was later overwritten if
`$local` is set. This allowed users to export images in pdfs that they
were not allowed to see otherwise.
diff --git a/DokuImageProcessorDecorator.class.php b/DokuImageProcessorDecorator.class.php
@@ -64,8 +64,10 @@ public static function adjustGetImageLinks($file, $orig_srcpath) {
                     //check permissions (namespace only)
                     if(auth_quickaclcheck(getNS($media) . ':X') < AUTH_READ) {
                         $file = '';
+                        $local = '';
+                    } else {
+                        $local = mediaFN($media, $rev);
                     }
-                    $local = mediaFN($media, $rev);
                 }
 
                 //handle image resizing/cropping

Original file line number	Diff line number	Diff line change
`@@ -64,8 +64,10 @@ public static function adjustGetImageLinks($file, $orig_srcpath) {`
`64`	`64`	`//check permissions (namespace only)`
`65`	`65`	`if(auth_quickaclcheck(getNS($media) . ':X') < AUTH_READ) {`
`66`	`66`	`$file = '';`
	`67`	`+ $local = '';`
	`68`	`+ } else {`
	`69`	`+ $local = mediaFN($media, $rev);`
`67`	`70`	`}`
`68`		`- $local = mediaFN($media, $rev);`
`69`	`71`	`}`
`70`	`72`
`71`	`73`	`//handle image resizing/cropping`