From 074f6c104f3e49401ef0065540338fc2d4be79f0 Mon Sep 17 00:00:00 2001
From: Frederic Guillot <fred@kanboard.net>
Date: Sat, 23 Sep 2017 18:48:45 -0700
Subject: Avoid people to alter other projects by changing form data

---
 app/Controller/BaseController.php | 90 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 90 insertions(+)

(limited to 'app/Controller/BaseController.php')

diff --git a/app/Controller/BaseController.php b/app/Controller/BaseController.php
index 5233e27f..1ac7ed20 100644
--- a/app/Controller/BaseController.php
+++ b/app/Controller/BaseController.php
@@ -155,4 +155,94 @@ abstract class BaseController extends Base
 
         return $subtask;
     }
+
+    protected function getColumn(array $project)
+    {
+        $column = $this->columnModel->getById($this->request->getIntegerParam('column_id'));
+
+        if (empty($column)) {
+            throw new PageNotFoundException();
+        }
+
+        if ($column['project_id'] != $project['id']) {
+            throw new AccessForbiddenException();
+        }
+
+        return $column;
+    }
+
+    protected function getSwimlane(array $project)
+    {
+        $swimlane = $this->swimlaneModel->getById($this->request->getIntegerParam('swimlane_id'));
+
+        if (empty($swimlane)) {
+            throw new PageNotFoundException();
+        }
+
+        if ($swimlane['project_id'] != $project['id']) {
+            throw new AccessForbiddenException();
+        }
+
+        return $swimlane;
+    }
+
+    protected function getCategory(array $project)
+    {
+        $category = $this->categoryModel->getById($this->request->getIntegerParam('category_id'));
+
+        if (empty($category)) {
+            throw new PageNotFoundException();
+        }
+
+        if ($category['project_id'] != $project['id']) {
+            throw new AccessForbiddenException();
+        }
+
+        return $category;
+    }
+
+    protected function getProjectTag(array $project)
+    {
+        $tag = $this->tagModel->getById($this->request->getIntegerParam('tag_id'));
+
+        if (empty($tag)) {
+            throw new PageNotFoundException();
+        }
+
+        if ($tag['project_id'] != $project['id']) {
+            throw new AccessForbiddenException();
+        }
+
+        return $tag;
+    }
+
+    protected function getAction(array $project)
+    {
+        $action = $this->actionModel->getById($this->request->getIntegerParam('action_id'));
+
+        if (empty($action)) {
+            throw new PageNotFoundException();
+        }
+
+        if ($action['project_id'] != $project['id']) {
+            throw new AccessForbiddenException();
+        }
+
+        return $action;
+    }
+
+    protected function getCustomFilter(array $project)
+    {
+        $filter = $this->customFilterModel->getById($this->request->getIntegerParam('filter_id'));
+
+        if (empty($filter)) {
+            throw new PageNotFoundException();
+        }
+
+        if ($filter['project_id'] != $project['id']) {
+            throw new AccessForbiddenException();
+        }
+
+        return $filter;
+    }
 }
-- 
cgit v1.2.3