summaryrefslogtreecommitdiff
path: root/app/Controller/CategoryController.php
diff options
context:
space:
mode:
authorFrederic Guillot <fred@kanboard.net>2017-09-23 18:48:45 -0700
committerFrederic Guillot <fred@kanboard.net>2017-09-23 18:48:45 -0700
commit074f6c104f3e49401ef0065540338fc2d4be79f0 (patch)
tree35ee4b74f9f24749a57b6f54b6e5ec64eaffb1da /app/Controller/CategoryController.php
parent8ecaa60340966ee4fec8ee16612803d229e77eb3 (diff)
Avoid people to alter other projects by changing form data
Diffstat (limited to 'app/Controller/CategoryController.php')
-rw-r--r--app/Controller/CategoryController.php31
1 files changed, 9 insertions, 22 deletions
diff --git a/app/Controller/CategoryController.php b/app/Controller/CategoryController.php
index 69bbad5a..e3f2406b 100644
--- a/app/Controller/CategoryController.php
+++ b/app/Controller/CategoryController.php
@@ -13,24 +13,6 @@ use Kanboard\Core\Controller\PageNotFoundException;
class CategoryController extends BaseController
{
/**
- * Get the category (common method between actions)
- *
- * @access private
- * @return array
- * @throws PageNotFoundException
- */
- private function getCategory()
- {
- $category = $this->categoryModel->getById($this->request->getIntegerParam('category_id'));
-
- if (empty($category)) {
- throw new PageNotFoundException();
- }
-
- return $category;
- }
-
- /**
* List of categories for a given project
*
* @access public
@@ -72,8 +54,9 @@ class CategoryController extends BaseController
public function save()
{
$project = $this->getProject();
-
$values = $this->request->getValues();
+ $values['project_id'] = $project['id'];
+
list($valid, $errors) = $this->categoryValidator->validateCreation($values);
if ($valid) {
@@ -100,7 +83,7 @@ class CategoryController extends BaseController
public function edit(array $values = array(), array $errors = array())
{
$project = $this->getProject();
- $category = $this->getCategory();
+ $category = $this->getCategory($project);
$this->response->html($this->template->render('category/edit', array(
'values' => empty($values) ? $category : $values,
@@ -117,8 +100,12 @@ class CategoryController extends BaseController
public function update()
{
$project = $this->getProject();
+ $category = $this->getCategory($project);
$values = $this->request->getValues();
+ $values['project_id'] = $project['id'];
+ $values['id'] = $category['id'];
+
list($valid, $errors) = $this->categoryValidator->validateModification($values);
if ($valid) {
@@ -141,7 +128,7 @@ class CategoryController extends BaseController
public function confirm()
{
$project = $this->getProject();
- $category = $this->getCategory();
+ $category = $this->getCategory($project);
$this->response->html($this->helper->layout->project('category/remove', array(
'project' => $project,
@@ -158,7 +145,7 @@ class CategoryController extends BaseController
{
$this->checkCSRFParam();
$project = $this->getProject();
- $category = $this->getCategory();
+ $category = $this->getCategory($project);
if ($this->categoryModel->remove($category['id'])) {
$this->flash->success(t('Category removed successfully.'));