diff options
| author | Frederic Guillot <fred@kanboard.net> | 2017-09-23 18:48:45 -0700 |
|---|---|---|
| committer | Frederic Guillot <fred@kanboard.net> | 2017-09-23 18:48:45 -0700 |
| commit | 074f6c104f3e49401ef0065540338fc2d4be79f0 (patch) | |
| tree | 35ee4b74f9f24749a57b6f54b6e5ec64eaffb1da /app/Controller/BaseController.php | |
| parent | 8ecaa60340966ee4fec8ee16612803d229e77eb3 (diff) | |
Avoid people to alter other projects by changing form data
Diffstat (limited to 'app/Controller/BaseController.php')
| -rw-r--r-- | app/Controller/BaseController.php | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/app/Controller/BaseController.php b/app/Controller/BaseController.php index 5233e27f..1ac7ed20 100644 --- a/app/Controller/BaseController.php +++ b/app/Controller/BaseController.php @@ -155,4 +155,94 @@ abstract class BaseController extends Base return $subtask; } + + protected function getColumn(array $project) + { + $column = $this->columnModel->getById($this->request->getIntegerParam('column_id')); + + if (empty($column)) { + throw new PageNotFoundException(); + } + + if ($column['project_id'] != $project['id']) { + throw new AccessForbiddenException(); + } + + return $column; + } + + protected function getSwimlane(array $project) + { + $swimlane = $this->swimlaneModel->getById($this->request->getIntegerParam('swimlane_id')); + + if (empty($swimlane)) { + throw new PageNotFoundException(); + } + + if ($swimlane['project_id'] != $project['id']) { + throw new AccessForbiddenException(); + } + + return $swimlane; + } + + protected function getCategory(array $project) + { + $category = $this->categoryModel->getById($this->request->getIntegerParam('category_id')); + + if (empty($category)) { + throw new PageNotFoundException(); + } + + if ($category['project_id'] != $project['id']) { + throw new AccessForbiddenException(); + } + + return $category; + } + + protected function getProjectTag(array $project) + { + $tag = $this->tagModel->getById($this->request->getIntegerParam('tag_id')); + + if (empty($tag)) { + throw new PageNotFoundException(); + } + + if ($tag['project_id'] != $project['id']) { + throw new AccessForbiddenException(); + } + + return $tag; + } + + protected function getAction(array $project) + { + $action = $this->actionModel->getById($this->request->getIntegerParam('action_id')); + + if (empty($action)) { + throw new PageNotFoundException(); + } + + if ($action['project_id'] != $project['id']) { + throw new AccessForbiddenException(); + } + + return $action; + } + + protected function getCustomFilter(array $project) + { + $filter = $this->customFilterModel->getById($this->request->getIntegerParam('filter_id')); + + if (empty($filter)) { + throw new PageNotFoundException(); + } + + if ($filter['project_id'] != $project['id']) { + throw new AccessForbiddenException(); + } + + return $filter; + } } |