diff options
| author | Frederic Guillot <fred@kanboard.net> | 2017-09-27 21:58:16 -0700 |
|---|---|---|
| committer | Frederic Guillot <fred@kanboard.net> | 2017-09-27 21:58:16 -0700 |
| commit | 7100f6de8a1f566e260b3e65312767e4cde112b1 (patch) | |
| tree | be1fbde368983b101b43dba1b8e61a8c6b875fec /app | |
| parent | ac795d9a5804204475bf62bcca03ee0815a92e6a (diff) | |
Make sure people do not access to files of other projects
Diffstat (limited to 'app')
| -rw-r--r-- | app/Controller/BaseController.php | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/app/Controller/BaseController.php b/app/Controller/BaseController.php index 41fcef1c..43ecfaab 100644 --- a/app/Controller/BaseController.php +++ b/app/Controller/BaseController.php @@ -74,13 +74,14 @@ abstract class BaseController extends Base { $task_id = $this->request->getIntegerParam('task_id'); $file_id = $this->request->getIntegerParam('file_id'); + $project_id = $this->request->getIntegerParam('project_id'); $model = 'projectFileModel'; if ($task_id > 0) { $model = 'taskFileModel'; - $project_id = $this->taskFinderModel->getProjectId($task_id); + $task_project_id = $this->taskFinderModel->getProjectId($task_id); - if ($project_id !== $this->request->getIntegerParam('project_id')) { + if ($project_id != $task_project_id) { throw new AccessForbiddenException(); } } @@ -91,6 +92,12 @@ abstract class BaseController extends Base throw new PageNotFoundException(); } + if (isset($file['task_id']) && $file['task_id'] != $task_id) { + throw new AccessForbiddenException(); + } else if (isset($file['project_id']) && $file['project_id'] != $project_id) { + throw new AccessForbiddenException(); + } + $file['model'] = $model; return $file; } |