Index: branches/5.0.x/core/kernel/db/db_event_handler.php =================================================================== diff -u -r12368 -r12511 --- branches/5.0.x/core/kernel/db/db_event_handler.php (.../db_event_handler.php) (revision 12368) +++ branches/5.0.x/core/kernel/db/db_event_handler.php (.../db_event_handler.php) (revision 12511) @@ -1,6 +1,6 @@ Array('self' => 'view', 'subitem' => 'view'), 'OnItemBuild' => Array('self' => 'view', 'subitem' => 'view'), + 'OnSuggestValues' => Array('self' => 'view', 'subitem' => 'view'), 'OnBuild' => Array('self' => true), @@ -2446,35 +2447,44 @@ */ function OnSuggestValues(&$event) { - $this->Application->XMLHeader(); + if (!$this->Application->IsAdmin() || !$this->Application->LoggedIn()) { + // very careful here, because this event allows to + // view every object field -> limit only to logged-in admins + return ; + } + $event->status = erSTOP; + $field = $this->Application->GetVar('field'); $cur_value = $this->Application->GetVar('cur_value'); - if (!$field || !$cur_value) { - exit; + + $object =& $event->getObject(); + + if (!$field || !$cur_value || !array_key_exists($field, $object->Fields)) { + return ; } $limit = $this->Application->GetVar('limit'); if (!$limit) { $limit = 20; } - $object =& $event->getObject(); $sql = 'SELECT DISTINCT '.$field.' FROM '.$object->TableName.' WHERE '.$field.' LIKE '.$this->Conn->qstr($cur_value.'%').' ORDER BY '.$field.' LIMIT 0,' . $limit; - $data = $this->Conn->GetCol($sql); + $this->Application->XMLHeader(); + echo ''; + foreach ($data as $item) { echo '' . htmlspecialchars($item) . ''; } - echo ''; - $event->status = erSTOP; + echo ''; } /**