Error in 10 recent comments for non-admin user in 1.1.5

zhoujianfu

When logged in with a user account that has all the Rights selected, no issues.

When logged in with a user account that has everything but "User admin" selected, they are given an error under the "10 most
recent comments" section of the Admin page:

10 Most Recent Comments
Zenphoto Error
MySQL Query ( SELECT `id`, `name`, `website`, `type`, `ownerid`, (`date` + 0) AS date, comment, email, inmoderation FROM
`zp_872056146708445_comments` WHERE (`type`='albums' AND ()) ORDER BY id DESC LIMIT 10 ) Failed. Error: You have an error in
your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')) ORDER BY id
DESC LIMIT 10' at line 1
I fixed this by editing the fetchComments function in admin-functions.php to have the following (I'd like to make sure this fix is included in the next version, but I'm not too clear on how trac/svn works):

....

$sql = "SELECT `id`, `name`, `website`, `type`, `ownerid`,"
." (`date` + 0) AS date, comment, email, inmoderation "
." FROM ".prefix('comments')." WHERE ";

$sql .= " (`type`='albums'";
$i = 0;
$temp_sql = '';
foreach ($albumIDs as $ID) {
if ($i>0) { $temp_sql .= " OR "; }
$temp_sql .= "(".prefix('comments').".ownerid=$ID)";
$i++;
}
if ($i > 0) {
$temp_sql = " AND ($temp_sql)";
}
$sql .= "$temp_sql) ";
$sql .= " ORDER BY id DESC$limit";
$albumcomments = query_full_array($sql);
foreach ($albumcomments as $comment) {
$comments[$comment['id']] = $comment;
}
$sql = "SELECT .".prefix('comments').".id as id, ".prefix('comments').".name as name, `website`, `type`, `ownerid`,"
." (".prefix('comments').".date + 0) AS date, comment, email, inmoderation, ".prefix('images').".`albumid` as album$
." FROM ".prefix('comments').",".prefix('images')." WHERE ";

$sql .= "(`type`='images'";
$i = 0;
$temp_sql = '';
foreach ($albumIDs as $ID) {
if ($i>0) { $temp_sql .= " OR "; }
$temp_sql .= "(".prefix('comments').".ownerid=".prefix('images').".id AND ".prefix('images')
.".albumid=$ID)";
$i++;
}
if ($i > 0) {
$temp_sql = " AND ($temp_sql)";
}
$sql .= "$temp_sql)";
$sql .= " ORDER BY id DESC$limit";

....

sbillard

The way Trac works is that you make yourself an account (http://www.zenphoto.org/trac/account) then create a ticket (http://www.zenphoto.org/trac/newticket) describing the problem. If you have a fix, you can attach a file to the ticket with that fix in it.

However, for this one, you do not need to make a ticket as I will incorporate a fix in the next build.

EDIT: While your change will prevent the SQL error, it does not preserve the lesser admin security. Normally an admin without `user admin` rights sees only those items owned by albums he has been assigned to administer. In the case where the SQL error occurs, the user had no albums assigned, so he should see no comments.