summaryrefslogtreecommitdiff
path: root/app/Controller/CommentController.php
diff options
context:
space:
mode:
authorFrederic Guillot <fred@kanboard.net>2017-09-23 20:56:54 -0700
committerFrederic Guillot <fred@kanboard.net>2017-09-23 20:56:54 -0700
commit3e0f14ae2b0b5a44bd038a472f17eac75f538524 (patch)
tree031247eca17a7a3d1d73490f5c10b12cbe9caadb /app/Controller/CommentController.php
parent074f6c104f3e49401ef0065540338fc2d4be79f0 (diff)
Do not expose IDs in forms
Diffstat (limited to 'app/Controller/CommentController.php')
-rw-r--r--app/Controller/CommentController.php43
1 files changed, 8 insertions, 35 deletions
diff --git a/app/Controller/CommentController.php b/app/Controller/CommentController.php
index 9a89103e..a29491a3 100644
--- a/app/Controller/CommentController.php
+++ b/app/Controller/CommentController.php
@@ -14,29 +14,6 @@ use Kanboard\Core\Controller\PageNotFoundException;
class CommentController extends BaseController
{
/**
- * Get the current comment
- *
- * @access protected
- * @return array
- * @throws PageNotFoundException
- * @throws AccessForbiddenException
- */
- protected function getComment()
- {
- $comment = $this->commentModel->getById($this->request->getIntegerParam('comment_id'));
-
- if (empty($comment)) {
- throw new PageNotFoundException();
- }
-
- if (! $this->userSession->isAdmin() && $comment['user_id'] != $this->userSession->getId()) {
- throw new AccessForbiddenException();
- }
-
- return $comment;
- }
-
- /**
* Add comment form
*
* @access public
@@ -49,14 +26,6 @@ class CommentController extends BaseController
{
$project = $this->getProject();
$task = $this->getTask();
-
- if (empty($values)) {
- $values = array(
- 'user_id' => $this->userSession->getId(),
- 'task_id' => $task['id'],
- );
- }
-
$values['project_id'] = $task['project_id'];
$this->response->html($this->helper->layout->task('comment/create', array(
@@ -106,7 +75,7 @@ class CommentController extends BaseController
public function edit(array $values = array(), array $errors = array())
{
$task = $this->getTask();
- $comment = $this->getComment();
+ $comment = $this->getComment($task);
if (empty($values)) {
$values = $comment;
@@ -130,9 +99,13 @@ class CommentController extends BaseController
public function update()
{
$task = $this->getTask();
- $this->getComment();
+ $comment = $this->getComment($task);
$values = $this->request->getValues();
+ $values['id'] = $comment['id'];
+ $values['task_id'] = $task['id'];
+ $values['user_id'] = $comment['user_id'];
+
list($valid, $errors) = $this->commentValidator->validateModification($values);
if ($valid) {
@@ -157,7 +130,7 @@ class CommentController extends BaseController
public function confirm()
{
$task = $this->getTask();
- $comment = $this->getComment();
+ $comment = $this->getComment($task);
$this->response->html($this->template->render('comment/remove', array(
'comment' => $comment,
@@ -175,7 +148,7 @@ class CommentController extends BaseController
{
$this->checkCSRFParam();
$task = $this->getTask();
- $comment = $this->getComment();
+ $comment = $this->getComment($task);
if ($this->commentModel->remove($comment['id'])) {
$this->flash->success(t('Comment removed successfully.'));