From 13f846c94227422a6692a6b18a25042054a8dc25 Mon Sep 17 00:00:00 2001
From: Marcel Werk <burntime@woltlab.com>
Date: Fri, 7 Dec 2018 11:56:33 +0100
Subject: [PATCH] Fixed validation of permissions for label groups in articles

---
 .../lib/data/article/category/ArticleCategory.class.php      | 5 +++--
 wcfsetup/install/files/lib/page/ArticleListPage.class.php    | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/wcfsetup/install/files/lib/data/article/category/ArticleCategory.class.php b/wcfsetup/install/files/lib/data/article/category/ArticleCategory.class.php
index aafb964e03..3bdb56124a 100644
--- a/wcfsetup/install/files/lib/data/article/category/ArticleCategory.class.php
+++ b/wcfsetup/install/files/lib/data/article/category/ArticleCategory.class.php
@@ -125,9 +125,10 @@ class ArticleCategory extends AbstractDecoratedCategory implements IAccessibleOb
 	/**
 	 * Returns the label groups for all accessible categories.
 	 *
+	 * @param	string	        $permission
 	 * @return	ViewableLabelGroup[]
 	 */
-	public static function getAccessibleLabelGroups() {
+	public static function getAccessibleLabelGroups($permission = 'canSetLabel') {
 		$labelGroupsToCategories = ArticleCategoryLabelCacheBuilder::getInstance()->getData();
 		$accessibleCategoryIDs = self::getAccessibleCategoryIDs();
 		
@@ -139,6 +140,6 @@ class ArticleCategory extends AbstractDecoratedCategory implements IAccessibleOb
 		}
 		if (empty($groupIDs)) return [];
 		
-		return LabelHandler::getInstance()->getLabelGroups(array_unique($groupIDs));
+		return LabelHandler::getInstance()->getLabelGroups(array_unique($groupIDs), true, $permission);
 	}
 }
diff --git a/wcfsetup/install/files/lib/page/ArticleListPage.class.php b/wcfsetup/install/files/lib/page/ArticleListPage.class.php
index e23c8ea254..2e78b19bdc 100644
--- a/wcfsetup/install/files/lib/page/ArticleListPage.class.php
+++ b/wcfsetup/install/files/lib/page/ArticleListPage.class.php
@@ -75,7 +75,7 @@ class ArticleListPage extends MultipleLinkPage {
 		parent::readParameters();
 		
 		// read available label groups
-		$this->labelGroups = ArticleCategory::getAccessibleLabelGroups();
+		$this->labelGroups = ArticleCategory::getAccessibleLabelGroups('canViewLabel');
 		if (!empty($this->labelGroups) && isset($_REQUEST['labelIDs']) && is_array($_REQUEST['labelIDs'])) {
 			$this->labelIDs = $_REQUEST['labelIDs'];
 			
-- 
2.20.1