Avoid people to alter other projects by changing form data

author: Frederic Guillot <fred@kanboard.net> 2017-09-23 18:48:45 -0700
committer: Frederic Guillot <fred@kanboard.net> 2017-09-23 18:48:45 -0700
commit: 074f6c104f3e49401ef0065540338fc2d4be79f0 (patch)
tree: 35ee4b74f9f24749a57b6f54b6e5ec64eaffb1da /app/Controller/ActionController.php
parent: 8ecaa60340966ee4fec8ee16612803d229e77eb3 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/app/Controller/ActionController.php b/app/Controller/ActionController.php
index c935125a..43acf590 100644
--- a/app/Controller/ActionController.php
+++ b/app/Controller/ActionController.php
@@ -46,9 +46,10 @@ class ActionController extends BaseController
     public function confirm()
     {
         $project = $this->getProject();
+        $action = $this->getAction($project);
 
         $this->response->html($this->helper->layout->project('action/remove', array(
-            'action' => $this->actionModel->getById($this->request->getIntegerParam('action_id')),
+            'action' => $action,
             'available_events' => $this->eventManager->getAll(),
             'available_actions' => $this->actionManager->getAvailableActions(),
             'project' => $project,
@@ -65,7 +66,7 @@ class ActionController extends BaseController
     {
         $this->checkCSRFParam();
         $project = $this->getProject();
-        $action = $this->actionModel->getById($this->request->getIntegerParam('action_id'));
+        $action = $this->getAction($project);
 
         if (! empty($action) && $this->actionModel->remove($action['id'])) {
             $this->flash->success(t('Action removed successfully.'));
author	Frederic Guillot <fred@kanboard.net>	2017-09-23 18:48:45 -0700
committer	Frederic Guillot <fred@kanboard.net>	2017-09-23 18:48:45 -0700
commit	074f6c104f3e49401ef0065540338fc2d4be79f0 (patch)
tree	35ee4b74f9f24749a57b6f54b6e5ec64eaffb1da /app/Controller/ActionController.php
parent	8ecaa60340966ee4fec8ee16612803d229e77eb3 (diff)