Make sure people do not access to files of other projects

1 files changed, 9 insertions, 2 deletions

diff --git a/app/Controller/BaseController.php b/app/Controller/BaseController.php
index 41fcef1c..43ecfaab 100644
--- a/app/Controller/BaseController.php
+++ b/app/Controller/BaseController.php
@@ -74,13 +74,14 @@ abstract class BaseController extends Base
     {
         $task_id = $this->request->getIntegerParam('task_id');
         $file_id = $this->request->getIntegerParam('file_id');
+        $project_id = $this->request->getIntegerParam('project_id');
         $model = 'projectFileModel';
 
         if ($task_id > 0) {
             $model = 'taskFileModel';
-            $project_id = $this->taskFinderModel->getProjectId($task_id);
+            $task_project_id = $this->taskFinderModel->getProjectId($task_id);
 
-            if ($project_id !== $this->request->getIntegerParam('project_id')) {
+            if ($project_id != $task_project_id) {
                 throw new AccessForbiddenException();
             }
         }
@@ -91,6 +92,12 @@ abstract class BaseController extends Base
             throw new PageNotFoundException();
         }
 
+        if (isset($file['task_id']) && $file['task_id'] != $task_id) {
+            throw new AccessForbiddenException();
+        } else if (isset($file['project_id']) && $file['project_id'] != $project_id) {
+            throw new AccessForbiddenException();
+        }
+
         $file['model'] = $model;
         return $file;
     }