From: eileen <emcnaughton@wikimedia.org>
Date: Fri, 14 Oct 2016 14:05:51 +0000 (+0100)
Subject: CRM-19311  limit hidden groups to those passed in if  is set
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=54d93c06dce9220e2f50c90086a8ab86b1e08366;p=civicrm-core.git

CRM-19311  limit hidden groups to those passed in if  is set
---

diff --git a/CRM/ACL/BAO/ACL.php b/CRM/ACL/BAO/ACL.php
index 7bb97cf4f6..dec06a6ae5 100644
--- a/CRM/ACL/BAO/ACL.php
+++ b/CRM/ACL/BAO/ACL.php
@@ -920,13 +920,18 @@ ORDER BY a.object_id
       $ids = $includedGroups;
     }
     if ($contactID) {
+      $groupWhere = '';
+      if (!empty($allGroups)) {
+        $groupWhere = " AND id IN (" . implode(',', array_keys($allGroups)) . ")";
+      }
       // Contacts create hidden groups from search results. They should be able to retrieve their own.
       $ownHiddenGroupsList = CRM_Core_DAO::singleValueQuery("
         SELECT GROUP_CONCAT(id) FROM civicrm_group WHERE is_hidden =1 AND created_id = $contactID
+        $groupWhere
       ");
       if ($ownHiddenGroupsList) {
         $ownHiddenGroups = explode(',', $ownHiddenGroupsList);
-        $ids = array_merge($ids, $ownHiddenGroups);
+        $ids = array_merge((array) $ids, $ownHiddenGroups);
       }
 
     }