summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorFrederic Guillot <fred@kanboard.net>2017-09-27 21:58:16 -0700
committerFrederic Guillot <fred@kanboard.net>2017-09-27 21:58:16 -0700
commit7100f6de8a1f566e260b3e65312767e4cde112b1 (patch)
treebe1fbde368983b101b43dba1b8e61a8c6b875fec /app
parentac795d9a5804204475bf62bcca03ee0815a92e6a (diff)
Make sure people do not access to files of other projects
Diffstat (limited to 'app')
-rw-r--r--app/Controller/BaseController.php11
1 files changed, 9 insertions, 2 deletions
diff --git a/app/Controller/BaseController.php b/app/Controller/BaseController.php
index 41fcef1c..43ecfaab 100644
--- a/app/Controller/BaseController.php
+++ b/app/Controller/BaseController.php
@@ -74,13 +74,14 @@ abstract class BaseController extends Base
{
$task_id = $this->request->getIntegerParam('task_id');
$file_id = $this->request->getIntegerParam('file_id');
+ $project_id = $this->request->getIntegerParam('project_id');
$model = 'projectFileModel';
if ($task_id > 0) {
$model = 'taskFileModel';
- $project_id = $this->taskFinderModel->getProjectId($task_id);
+ $task_project_id = $this->taskFinderModel->getProjectId($task_id);
- if ($project_id !== $this->request->getIntegerParam('project_id')) {
+ if ($project_id != $task_project_id) {
throw new AccessForbiddenException();
}
}
@@ -91,6 +92,12 @@ abstract class BaseController extends Base
throw new PageNotFoundException();
}
+ if (isset($file['task_id']) && $file['task_id'] != $task_id) {
+ throw new AccessForbiddenException();
+ } else if (isset($file['project_id']) && $file['project_id'] != $project_id) {
+ throw new AccessForbiddenException();
+ }
+
$file['model'] = $model;
return $file;
}