From 204622970c3da2cb95bb1bc55b9f19239f95d7c1 Mon Sep 17 00:00:00 2001
From: int2001 <joerg@dj7nt.de>
Date: Sun, 17 Sep 2023 11:36:35 +0000
Subject: [PATCH] Prevent Dataleakage at "activated grids"-view

---
 application/models/Activated_grids_model.php | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/application/models/Activated_grids_model.php b/application/models/Activated_grids_model.php
index 9cabf1da..72d89ce5 100644
--- a/application/models/Activated_grids_model.php
+++ b/application/models/Activated_grids_model.php
@@ -10,10 +10,11 @@ class Activated_grids_model extends CI_Model {
         if (!$logbooks_locations_array) {
             return null;
         }
-
+	$location_list = "'".implode("','",$logbooks_locations_array)."'";
         $sql = 'SELECT DISTINCT station_gridsquare AS SAT_SQUARE FROM '
            . 'station_profile JOIN '.$this->config->item('table_name').' on '.$this->config->item('table_name').'.station_id = station_profile.station_id '
-           . 'WHERE station_profile.station_gridsquare != "" AND '.$this->config->item('table_name').'.COL_SAT_NAME != ""';
+	   . 'WHERE station_profile.station_gridsquare != "" AND '.$this->config->item('table_name').'.COL_SAT_NAME != ""'
+	   . ' AND station_profile.station_id in ('.$location_list.')';
 
         return $this->db->query($sql);
 	}
@@ -32,7 +33,8 @@ class Activated_grids_model extends CI_Model {
       $sql = 'SELECT DISTINCT station_gridsquare AS SAT_SQUARE FROM '
          . 'station_profile JOIN '.$this->config->item('table_name').' on '.$this->config->item('table_name').'.station_id = station_profile.station_id '
          . 'WHERE station_profile.station_gridsquare != "" AND '.$this->config->item('table_name').'.COL_SAT_NAME != "" '
-         . 'AND (COL_LOTW_QSL_SENT = "Y" OR COL_QSL_SENT = "Y");';
+         . 'AND (COL_LOTW_QSL_SENT = "Y" OR COL_QSL_SENT = "Y")'
+	 . ' AND station_profile.station_id in ('.$location_list.')';
 
 		return $this->db->query($sql);
 	}
@@ -50,7 +52,8 @@ class Activated_grids_model extends CI_Model {
 
         $sql = 'SELECT DISTINCT station_gridsquare AS GRID_SQUARES, COL_BAND FROM '
            . 'station_profile JOIN '.$this->config->item('table_name').' on '.$this->config->item('table_name').'.station_id = station_profile.station_id '
-           . 'WHERE station_profile.station_gridsquare != "" ';
+           . 'WHERE station_profile.station_gridsquare != "" '
+	   . ' AND station_profile.station_id in ('.$location_list.')';
 
         if ($band != 'All') {
             $sql .= 'AND COL_BAND = "'.$band.'" '
@@ -77,7 +80,8 @@ class Activated_grids_model extends CI_Model {
 
         $sql = 'SELECT DISTINCT station_gridsquare AS GRID_SQUARES, COL_BAND FROM '
            . 'station_profile JOIN '.$this->config->item('table_name').' on '.$this->config->item('table_name').'.station_id = station_profile.station_id '
-           . 'WHERE station_profile.station_gridsquare != "" ';
+           . 'WHERE station_profile.station_gridsquare != "" '
+	   . ' AND station_profile.station_id in ('.$location_list.')';
 
         if ($band != 'All') {
             $sql .= 'AND COL_BAND = "'.$band.'" '