Fix GET subscribers not filtering by list permissions. Closes #2129.

knadh · Nov 12, 2024 · 894d284 · 894d284
1 parent 8b213f0
commit 894d284
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 5 deletions.
diff --git a/cmd/subscribers.go b/cmd/subscribers.go
@@ -706,11 +706,18 @@ func filterListQeryByPerm(qp url.Values, user models.User, app *App) ([]int, err
 		}
 
 		listIDs = user.FilterListsByPerm(ids, true, true)
-	} else {
-		// There are no incoming params. If the user doesn't have permission to get all subscribers,
-		// filter by the lists they have access to.
+	}
+
+	// There are no incoming params. If the user doesn't have permission to get all subscribers,
+	// filter by the lists they have access to.
+	if len(listIDs) == 0 {
 		if _, ok := user.PermissionsMap[models.PermSubscribersGetAll]; !ok {
-			listIDs = user.GetListIDs
+			if len(user.GetListIDs) > 0 {
+				listIDs = user.GetListIDs
+			} else {
+				// User doesn't have access to any lists.
+				listIDs = []int{-1}
+			}
 		}
 	}
 

diff --git a/internal/core/subscribers.go b/internal/core/subscribers.go
@@ -120,7 +120,7 @@ func (c *Core) QuerySubscribers(query string, listIDs []int, subStatus string, o
 	}
 
 	// Run the query again and fetch the actual data. stmt is the raw SQL query.
-	var out models.Subscribers
+	out := models.Subscribers{}
 	stmt := fmt.Sprintf(c.q.QuerySubscribersCount, cond)
 	stmt = strings.ReplaceAll(c.q.QuerySubscribers, "%query%", cond)
 	stmt = strings.ReplaceAll(stmt, "%order%", orderBy+" "+order)