Prevent the unintentional removal of values for groups that are not being edited
authorAlexander Ebert <ebert@woltlab.com>
Mon, 14 Dec 2020 17:44:41 +0000 (18:44 +0100)
committerAlexander Ebert <ebert@woltlab.com>
Mon, 14 Dec 2020 17:44:41 +0000 (18:44 +0100)
wcfsetup/install/files/lib/data/user/group/option/UserGroupOptionAction.class.php

index f534d0f346f5a1f35712ee113c64111fc96066e6..38509a1ef1e33146e040c6b304635d8aee3ee535 100644 (file)
@@ -2,6 +2,7 @@
 namespace wcf\data\user\group\option;
 use wcf\data\user\group\UserGroupEditor;
 use wcf\data\AbstractDatabaseObjectAction;
+use wcf\system\database\util\PreparedStatementConditionBuilder;
 use wcf\system\WCF;
 
 /**
@@ -26,15 +27,21 @@ class UserGroupOptionAction extends AbstractDatabaseObjectAction {
         * Updates option values for given option id.
         */
        public function updateValues() {
+               /** @var UserGroupOption $option */
                $option = current($this->objects);
                
+               $conditions = new PreparedStatementConditionBuilder();
+               $conditions->add("optionID = ?", [$option->optionID]);
+               if (!empty($this->parameters['values'])) {
+                       $groupIDs = array_keys($this->parameters['values']);
+                       $conditions->add("groupID IN (?)", [$groupIDs]);
+               }
+               
                // remove old values
                $sql = "DELETE FROM     wcf".WCF_N."_user_group_option_value
-                       WHERE           optionID = ?";
+                       ".$conditions;
                $statement = WCF::getDB()->prepareStatement($sql);
-               $statement->execute([
-                       $option->optionID
-               ]);
+               $statement->execute($conditions->getParameters());
                
                if (!empty($this->parameters['values'])) {
                        $sql = "INSERT INTO     wcf".WCF_N."_user_group_option_value