From 487b42fa1c2d871f06dfb95f41387774852dbb7f Mon Sep 17 00:00:00 2001
From: Lester Caine <lester@lsces.co.uk>
Date: Sat, 6 Jun 2026 20:10:23 +0100
Subject: protector: guard empty roles with ?: [-1] to prevent Firebird IN()
 error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

For anonymous users getRoles() returns an empty array, producing IN()
with no values — invalid Firebird SQL (-104 Token unknown).

Apply the standard guard so anonymous requests get IN(-1) instead,
matching the anonymous role_id. Affects both protector_content_list()
and protector_content_load().

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 includes/classes/LibertyProtector.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/includes/classes/LibertyProtector.php b/includes/classes/LibertyProtector.php
index 249f76b..eb37666 100755
--- a/includes/classes/LibertyProtector.php
+++ b/includes/classes/LibertyProtector.php
@@ -83,7 +83,7 @@ class LibertyProtector extends LibertyBase {
 function protector_content_list() {
 	global $gBitUser;
 	$userId = $gBitUser->mUserId ?? 0;
-	$roles = \array_keys($gBitUser->getRoles( $userId ?? 0, true ));
+	$roles = \array_keys($gBitUser->getRoles( $userId ?? 0, true )) ?: [-1];
 	$ret = [
 		'join_sql'  => " LEFT JOIN `" . BIT_DB_PREFIX . "liberty_content_role_map` lcrm ON ( lc.`content_id`=lcrm.`content_id` ) LEFT OUTER JOIN `" . BIT_DB_PREFIX . "users_roles_map` purm ON ( purm.`user_id` = " . $userId . " ) AND ( purm.`role_id`=lcrm.`role_id` ) ",
 		'where_sql' => " AND (lcrm.`content_id` IS null OR lcrm.`role_id` IN(" . implode( ',', array_fill( 0, count( $roles ), '?' ) ) . " ) OR purm.`user_id` = ? ) ",
@@ -100,7 +100,7 @@ function protector_content_list() {
 function protector_content_load( $pContent = null ) {
 	global $gBitUser;
 	$userId = $gBitUser->mUserId ?? -1;
-	$roles = \array_keys($gBitUser->getRoles( $userId, true ));
+	$roles = \array_keys($gBitUser->getRoles( $userId, true )) ?: [-1];
 	protector_content_verify_access( $pContent, $roles );
 	$ret = [
 		'join_sql'  => " LEFT JOIN `" . BIT_DB_PREFIX . "liberty_content_role_map` lcrm ON ( lc.`content_id`=lcrm.`content_id` ) LEFT OUTER JOIN `" . BIT_DB_PREFIX . "users_roles_map` purm ON ( purm.`role_id`=lcrm.`role_id` ) ",
-- 
cgit v1.3