Merge remote-tracking branch 'github-bantu/ticket/10320' into develop-olympus

* github-bantu/ticket/10320:
  [ticket/10320] Exclude passworded forums when determining "Most active topic".
  [ticket/10320] Move phpbb_feed_base::get_passworded_forums() to user class.

phpBB/includes/functions_display.php

@@ -1008,13 +1008,17 @@ function display_user_activity(&$userdata)
 	}
 
 	// Obtain active topic
+	// We need to exclude passworded forums here so we do not leak the topic title
+	$forum_ary_topic = array_unique(array_merge($forum_ary, $user->get_passworded_forums()));
+	$forum_sql_topic = (!empty($forum_ary_topic)) ? 'AND ' . $db->sql_in_set('forum_id', $forum_ary_topic, true) : '';
+
 	$sql = 'SELECT topic_id, COUNT(post_id) AS num_posts
 		FROM ' . POSTS_TABLE . '
 		WHERE poster_id = ' . $userdata['user_id'] . "
 			AND post_postcount = 1
 			AND (post_approved = 1
 				$sql_m_approve)
-			$forum_sql
+			$forum_sql_topic
 		GROUP BY topic_id
 		ORDER BY num_posts DESC";
 	$result = $db->sql_query_limit($sql, 1);

phpBB/includes/session.php

@@ -2410,6 +2410,39 @@ class user extends session
 
 		return true;
 	}
+
+	/**
+	* Returns all password protected forum ids the user is currently NOT authenticated for.
+	*
+	* @return array		Array of forum ids
+	* @access public
+	*/
+	function get_passworded_forums()
+	{
+		global $db;
+
+		$sql = 'SELECT f.forum_id, fa.user_id
+			FROM ' . FORUMS_TABLE . ' f
+			LEFT JOIN ' . FORUMS_ACCESS_TABLE . " fa
+				ON (fa.forum_id = f.forum_id
+					AND fa.session_id = '" . $db->sql_escape($this->session_id) . "')
+			WHERE f.forum_password <> ''";
+		$result = $db->sql_query($sql);
+
+		$forum_ids = array();
+		while ($row = $db->sql_fetchrow($result))
+		{
+			$forum_id = (int) $row['forum_id'];
+
+			if ($row['user_id'] != $this->data['user_id'])
+			{
+				$forum_ids[$forum_id] = $forum_id;
+			}
+		}
+		$db->sql_freeresult($result);
+
+		return $forum_ids;
+	}
 }
 
 ?>