$term_visibility = FALSE;

  // the terms this user is allowed to see
  $tids = array();
  for ($i = 1; $i <= $schemes; $i++) {
    $config = _tac_lite_config($i);
    if ($config['term_visibility']) {
      $tids = array_merge($tids, _tac_lite_user_tids($user, $i));
      $term_visibility = TRUE;
    }
  }
  
  if ($term_visibility) {
    // Prevent query from finding terms the current user does not have permission to see.
    $join = "LEFT JOIN {term_data} tac_td ON $primary_table.tid = tac_td.tid";
    $where = "$primary_table.tid IN (" . implode(', ', $tids) .
      ") OR tac_td.vid NOT IN (" . implode(',', $vids) .")";
    
    return array('join' => $join, 'where' => $where);
  }

This code is erroneous! It is possible for $tids to be an empty array, which then results in the SQL containing the clause "WHERE t.tid IN ()" which throws a syntax error. An older version includes the check

  if (count($tids) && is_array($vids) && count($vids))

which prevents the risk of that error. It probably needs to be reinstated. Was there a reason for trying to remove it?

CommentFileSizeAuthor
#1 tac_lite-1018668-1.patch843 bytesmartin_q

Comments

martin_q’s picture

StatusFileSize
new843 bytes

Patch attached.

damienmckenna’s picture

Issue summary: View changes
Status: Active » Closed (outdated)

Thank you for your contribution to this module. Support for Drupal 6 ended a decade ago, so I'm closing out this issue.

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.