From b01bf6ef3d4b90e4e42ed59c6af3ce25887e9fbb Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Thu, 5 Oct 2023 12:11:23 +0200
Subject: [PATCH] fixes #2018 prevent matching tags/albums to show private
 content

---
 include/functions_tag.inc.php | 16 +++++++++++++---
 index.php                     | 29 +++++++++++++++++------------
 2 files changed, 30 insertions(+), 15 deletions(-)

diff --git a/include/functions_tag.inc.php b/include/functions_tag.inc.php
index 00579f578..de9790970 100644
--- a/include/functions_tag.inc.php
+++ b/include/functions_tag.inc.php
@@ -37,7 +37,7 @@ function get_nb_available_tags()
  *
  * @return array [id, name, counter, url_name]
  */
-function get_available_tags()
+function get_available_tags($tag_ids=array())
 {
   // we can find top fatter tags among reachable images
   $query = '
@@ -45,14 +45,24 @@ SELECT tag_id, COUNT(DISTINCT(it.image_id)) AS counter
   FROM '.IMAGE_CATEGORY_TABLE.' ic
     INNER JOIN '.IMAGE_TAG_TABLE.' it
     ON ic.image_id=it.image_id
+  WHERE 1=1
   '.get_sql_condition_FandF(
     array(
       'forbidden_categories' => 'category_id',
       'visible_categories' => 'category_id',
       'visible_images' => 'ic.image_id'
       ),
-    ' WHERE '
-    ).'
+    ' AND '
+    );
+
+  if (is_array($tag_ids) and count($tag_ids) > 0)
+  {
+    $query .= '
+    AND tag_id IN ('.implode(',', $tag_ids).')
+';
+  }
+
+  $query .= '
   GROUP BY tag_id
 ;';
   $tag_counters = query2array($query, 'tag_id', 'counter');
diff --git a/index.php b/index.php
index 5f614e004..65a3c4dc4 100644
--- a/index.php
+++ b/index.php
@@ -182,6 +182,8 @@ if ( empty($page['is_external']) )
 
     if (isset($my_search['fields']['tags']))
     {
+      // TODO calling get_available_tags(), with lots of photos/albums/tags may cost time,
+      // we should reuse the result if already executed (for building the menu for example)
       $available_tags = get_available_tags();
       $available_tag_ids = array();
 
@@ -428,8 +430,9 @@ SELECT
         {
           $query = '
 SELECT
-    *
-  FROM '.CATEGORIES_TABLE.'
+    c.*
+  FROM '.CATEGORIES_TABLE.' AS c
+    INNER JOIN '.USER_CACHE_CATEGORIES_TABLE.' ON c.id = cat_id and user_id = '.$user['id'].'
   WHERE id IN ('.implode(',', $cat_ids).')
 ;';
           $cats = query2array($query);
@@ -444,7 +447,11 @@ SELECT
               $single_link
             );
           }
-          $template->assign('ALBUMS_FOUND', $albums_found);
+
+          if (count($albums_found) > 0)
+          {
+            $template->assign('ALBUMS_FOUND', $albums_found);
+          }
         }
       }
       if (isset($page['search_details']['matching_tag_ids']))
@@ -453,14 +460,8 @@ SELECT
 
         if (count($tag_ids) > 0)
         {
-          $query = '
-SELECT
-    *
-  FROM '.TAGS_TABLE.'
-  WHERE id IN ('.implode(',', $tag_ids).')
-  ORDER BY name
-;';
-          $tags = query2array($query);
+          $tags = get_available_tags($tag_ids);
+          usort($tags, 'tag_alpha_compare');
           $tags_found = array();
           foreach ($tags as $tag)
           {
@@ -471,7 +472,11 @@ SELECT
             );
             $tags_found[] = sprintf('<a href="%s">%s</a>', $url, $tag['name']);
           }
-          $template->assign('TAGS_FOUND', $tags_found);
+
+          if (count($tags_found) > 0)
+          {
+            $template->assign('TAGS_FOUND', $tags_found);
+          }
         }
       }
     }