1 files changed, 153 insertions, 10 deletions

diff --git a/app/Controller/BaseController.php b/app/Controller/BaseController.php
index 5233e27f..43ecfaab 100644
--- a/app/Controller/BaseController.php
+++ b/app/Controller/BaseController.php
@@ -74,13 +74,14 @@ abstract class BaseController extends Base
     {
         $task_id = $this->request->getIntegerParam('task_id');
         $file_id = $this->request->getIntegerParam('file_id');
+        $project_id = $this->request->getIntegerParam('project_id');
         $model = 'projectFileModel';
 
         if ($task_id > 0) {
             $model = 'taskFileModel';
-            $project_id = $this->taskFinderModel->getProjectId($task_id);
+            $task_project_id = $this->taskFinderModel->getProjectId($task_id);
 
-            if ($project_id !== $this->request->getIntegerParam('project_id')) {
+            if ($project_id != $task_project_id) {
                 throw new AccessForbiddenException();
             }
         }
@@ -91,6 +92,12 @@ abstract class BaseController extends Base
             throw new PageNotFoundException();
         }
 
+        if (isset($file['task_id']) && $file['task_id'] != $task_id) {
+            throw new AccessForbiddenException();
+        } else if (isset($file['project_id']) && $file['project_id'] != $project_id) {
+            throw new AccessForbiddenException();
+        }
+
         $file['model'] = $model;
         return $file;
     }
@@ -138,14 +145,7 @@ abstract class BaseController extends Base
         return $user;
     }
 
-    /**
-     * Get the current subtask
-     *
-     * @access protected
-     * @return array
-     * @throws PageNotFoundException
-     */
-    protected function getSubtask()
+    protected function getSubtask(array $task)
     {
         $subtask = $this->subtaskModel->getById($this->request->getIntegerParam('subtask_id'));
 
@@ -153,6 +153,149 @@ abstract class BaseController extends Base
             throw new PageNotFoundException();
         }
 
+        if ($subtask['task_id'] != $task['id']) {
+            throw new AccessForbiddenException();
+        }
+
         return $subtask;
     }
+
+    protected function getComment(array $task)
+    {
+        $comment = $this->commentModel->getById($this->request->getIntegerParam('comment_id'));
+
+        if (empty($comment)) {
+            throw new PageNotFoundException();
+        }
+
+        if (! $this->userSession->isAdmin() && $comment['user_id'] != $this->userSession->getId()) {
+            throw new AccessForbiddenException();
+        }
+
+        if ($comment['task_id'] != $task['id']) {
+            throw new AccessForbiddenException();
+        }
+
+        return $comment;
+    }
+
+    protected function getExternalTaskLink(array $task)
+    {
+        $link = $this->taskExternalLinkModel->getById($this->request->getIntegerParam('link_id'));
+
+        if (empty($link)) {
+            throw new PageNotFoundException();
+        }
+
+        if ($link['task_id'] != $task['id']) {
+            throw new AccessForbiddenException();
+        }
+
+        return $link;
+    }
+
+    protected function getInternalTaskLink(array $task)
+    {
+        $link = $this->taskLinkModel->getById($this->request->getIntegerParam('link_id'));
+
+        if (empty($link)) {
+            throw new PageNotFoundException();
+        }
+
+        if ($link['task_id'] != $task['id']) {
+            throw new AccessForbiddenException();
+        }
+
+        return $link;
+    }
+
+    protected function getColumn(array $project)
+    {
+        $column = $this->columnModel->getById($this->request->getIntegerParam('column_id'));
+
+        if (empty($column)) {
+            throw new PageNotFoundException();
+        }
+
+        if ($column['project_id'] != $project['id']) {
+            throw new AccessForbiddenException();
+        }
+
+        return $column;
+    }
+
+    protected function getSwimlane(array $project)
+    {
+        $swimlane = $this->swimlaneModel->getById($this->request->getIntegerParam('swimlane_id'));
+
+        if (empty($swimlane)) {
+            throw new PageNotFoundException();
+        }
+
+        if ($swimlane['project_id'] != $project['id']) {
+            throw new AccessForbiddenException();
+        }
+
+        return $swimlane;
+    }
+
+    protected function getCategory(array $project)
+    {
+        $category = $this->categoryModel->getById($this->request->getIntegerParam('category_id'));
+
+        if (empty($category)) {
+            throw new PageNotFoundException();
+        }
+
+        if ($category['project_id'] != $project['id']) {
+            throw new AccessForbiddenException();
+        }
+
+        return $category;
+    }
+
+    protected function getProjectTag(array $project)
+    {
+        $tag = $this->tagModel->getById($this->request->getIntegerParam('tag_id'));
+
+        if (empty($tag)) {
+            throw new PageNotFoundException();
+        }
+
+        if ($tag['project_id'] != $project['id']) {
+            throw new AccessForbiddenException();
+        }
+
+        return $tag;
+    }
+
+    protected function getAction(array $project)
+    {
+        $action = $this->actionModel->getById($this->request->getIntegerParam('action_id'));
+
+        if (empty($action)) {
+            throw new PageNotFoundException();
+        }
+
+        if ($action['project_id'] != $project['id']) {
+            throw new AccessForbiddenException();
+        }
+
+        return $action;
+    }
+
+    protected function getCustomFilter(array $project)
+    {
+        $filter = $this->customFilterModel->getById($this->request->getIntegerParam('filter_id'));
+
+        if (empty($filter)) {
+            throw new PageNotFoundException();
+        }
+
+        if ($filter['project_id'] != $project['id']) {
+            throw new AccessForbiddenException();
+        }
+
+        return $filter;
+    }
 }