Security: fix SQL precedence so soft-deleted users stay filtered

AngelFQC · claude · AngelFQC · commit 077dedfe5f71 · 2026-06-16T11:03:54.000-05:00
The user list query in access_url_add_users_to_url.php mixed AND and OR
without parentheses, so SQL precedence made the active &lt;&gt; USER_SOFT_DELETED
filter apply only to the first LIKE clause; the trailing OR clause returned
matching users regardless of status, exposing soft-deleted accounts.

Wrap the OR group in parentheses so the active-status filter applies to the
whole match.

Refs GHSA-6cmq-j35w-q932

Co-Authored-By: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/public/main/admin/access_url_add_users_to_url.php b/public/main/admin/access_url_add_users_to_url.php
@@ -85,7 +85,7 @@
 $target_name = api_sort_by_first_name() ? 'firstname' : 'lastname';
 $target_name = 'lastname';
 $sql = "SELECT id, lastname, firstname, username FROM $tbl_user
-	    WHERE active <> ".USER_SOFT_DELETED." AND ".$target_name." LIKE '".$first_letter_user_lower."%' OR ".$target_name." LIKE '".$first_letter_user_lower."%'
+	    WHERE active <> ".USER_SOFT_DELETED." AND (".$target_name." LIKE '".$first_letter_user_lower."%' OR ".$target_name." LIKE '".$first_letter_user_lower."%')
 		ORDER BY ".(count($users) > 0 ? '(id IN('.implode(',', $users).')) DESC,' : '').' '.$target_name;
 $result = Database::query($sql);
 $db_users = Database::store_result($result);
