Fix query for attachments

Broken in the implementation of permissions on list -- need a full join
to get values from the messages table, in this caes the messageid.

diff --git a/django/archives/mailarchives/views.py b/django/archives/mailarchives/views.py
index e64627d7098cabf4a14f9cf4d1e7f7a7952c7767..eb87f7bcf5a2779511ebcbf58989335b8cda9c10 100644 (file)
--- a/django/archives/mailarchives/views.py
+++ b/django/archives/mailarchives/views.py
@@ -344,7 +344,7 @@ def attachment(request, attid):
        # XXX: minor information leak, because we load the whole attachment before we check
        # the thread permissions. Is that OK?
        curs = connection.cursor()
-       curs.execute("SELECT filename, contenttype, messageid, attachment FROM attachments WHERE id=%(id)s AND EXISTS (SELECT 1 FROM messages WHERE messages.id=attachments.message AND messages.hiddenstatus IS NULL)", { 'id': int(attid)})
+        curs.execute("SELECT filename, contenttype, messageid, attachment FROM attachments INNER JOIN messages ON messages.id=attachments.message AND attachments.id=%(id)s AND messages.hiddenstatus IS NULL", {'id': int(attid)})
        r = curs.fetchall()
        if len(r) != 1:
                return HttpResponse("Attachment not found")