From 7100f6de8a1f566e260b3e65312767e4cde112b1 Mon Sep 17 00:00:00 2001
From: Frederic Guillot <fred@kanboard.net>
Date: Wed, 27 Sep 2017 21:58:16 -0700
Subject: Make sure people do not access to files of other projects

---
 app/Controller/BaseController.php | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'app/Controller/BaseController.php')

diff --git a/app/Controller/BaseController.php b/app/Controller/BaseController.php
index 41fcef1c..43ecfaab 100644
--- a/app/Controller/BaseController.php
+++ b/app/Controller/BaseController.php
@@ -74,13 +74,14 @@ abstract class BaseController extends Base
     {
         $task_id = $this->request->getIntegerParam('task_id');
         $file_id = $this->request->getIntegerParam('file_id');
+        $project_id = $this->request->getIntegerParam('project_id');
         $model = 'projectFileModel';
 
         if ($task_id > 0) {
             $model = 'taskFileModel';
-            $project_id = $this->taskFinderModel->getProjectId($task_id);
+            $task_project_id = $this->taskFinderModel->getProjectId($task_id);
 
-            if ($project_id !== $this->request->getIntegerParam('project_id')) {
+            if ($project_id != $task_project_id) {
                 throw new AccessForbiddenException();
             }
         }
@@ -91,6 +92,12 @@ abstract class BaseController extends Base
             throw new PageNotFoundException();
         }
 
+        if (isset($file['task_id']) && $file['task_id'] != $task_id) {
+            throw new AccessForbiddenException();
+        } else if (isset($file['project_id']) && $file['project_id'] != $project_id) {
+            throw new AccessForbiddenException();
+        }
+
         $file['model'] = $model;
         return $file;
     }
-- 
cgit v1.2.3