diff options
| author | Frederic Guillot <fred@kanboard.net> | 2017-09-23 18:48:45 -0700 |
|---|---|---|
| committer | Frederic Guillot <fred@kanboard.net> | 2017-09-23 18:48:45 -0700 |
| commit | 074f6c104f3e49401ef0065540338fc2d4be79f0 (patch) | |
| tree | 35ee4b74f9f24749a57b6f54b6e5ec64eaffb1da /app/Controller/CustomFilterController.php | |
| parent | 8ecaa60340966ee4fec8ee16612803d229e77eb3 (diff) | |
Avoid people to alter other projects by changing form data
Diffstat (limited to 'app/Controller/CustomFilterController.php')
| -rw-r--r-- | app/Controller/CustomFilterController.php | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/app/Controller/CustomFilterController.php b/app/Controller/CustomFilterController.php index dfe1ffc4..1bf1617e 100644 --- a/app/Controller/CustomFilterController.php +++ b/app/Controller/CustomFilterController.php @@ -59,6 +59,7 @@ class CustomFilterController extends BaseController $project = $this->getProject(); $values = $this->request->getValues(); + $values['project_id'] = $project['id']; $values['user_id'] = $this->userSession->getId(); list($valid, $errors) = $this->customFilterValidator->validateCreation($values); @@ -84,7 +85,7 @@ class CustomFilterController extends BaseController public function confirm() { $project = $this->getProject(); - $filter = $this->customFilterModel->getById($this->request->getIntegerParam('filter_id')); + $filter = $this->getCustomFilter($project); $this->response->html($this->helper->layout->project('custom_filter/remove', array( 'project' => $project, @@ -102,7 +103,7 @@ class CustomFilterController extends BaseController { $this->checkCSRFParam(); $project = $this->getProject(); - $filter = $this->customFilterModel->getById($this->request->getIntegerParam('filter_id')); + $filter = $this->getCustomFilter($project); $this->checkPermission($project, $filter); @@ -153,6 +154,8 @@ class CustomFilterController extends BaseController $this->checkPermission($project, $filter); $values = $this->request->getValues(); + $values['id'] = $filter['id']; + $values['project_id'] = $project['id']; if (! isset($values['is_shared'])) { $values += array('is_shared' => 0); |