From cd66dfa7b5e944c75d8e89199717845ef91ed3aa Mon Sep 17 00:00:00 2001
From: Robin Sonefors <robin.sonefors@op5.com>
Date: Thu, 19 Jun 2014 09:57:43 +0200
Subject: [PATCH] recurringdowntime: Let limited users see their recurring
 downtimes

The limited authorization code accidentally based its decisions on the
full pool, instead of the empty pool, which means that the number of
objects in the downtime the user is allowed to see, plus all the objects
the user is allowed to see, had to match the actual number of objects in
the downtime.

Hence, it was possible for limited to be allowed to see schedules, but
only if they weren't supposed to see them.

This resolves bug #8807.

Change-Id: Ibdc96d97a7a5fa77d290ddd03a8e4b36bfbfcdb5
Signed-off-by: Robin Sonefors <robin.sonefors@op5.com>
---
 modules/orm/models/recurringdowntimeset.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/orm/models/recurringdowntimeset.php b/modules/orm/models/recurringdowntimeset.php
index b764012bb..e6e0ff38d 100644
--- a/modules/orm/models/recurringdowntimeset.php
+++ b/modules/orm/models/recurringdowntimeset.php
@@ -34,7 +34,7 @@ class RecurringDowntimeSet_Model extends BaseRecurringDowntimeSet_Model {
 			$id_check = new LivestatusFilterOr();
 			$filter->add($id_check);
 			foreach ($res_schedules as $schedule) {
-				$set = $poolname::all();
+				$set = $poolname::none();
 				$objects = $db->query('SELECT recurring_downtime_objects.object_name FROM recurring_downtime_objects WHERE recurring_downtime_id = '.$schedule->id);
 				$schedule_filter = new LivestatusFilterAnd();
 				foreach ($objects as $object) {
-- 
2.11.4.GIT