From 074f6c104f3e49401ef0065540338fc2d4be79f0 Mon Sep 17 00:00:00 2001 From: Frederic Guillot Date: Sat, 23 Sep 2017 18:48:45 -0700 Subject: Avoid people to alter other projects by changing form data --- app/Controller/SwimlaneController.php | 43 ++++++++++++----------------------- 1 file changed, 14 insertions(+), 29 deletions(-) (limited to 'app/Controller/SwimlaneController.php') diff --git a/app/Controller/SwimlaneController.php b/app/Controller/SwimlaneController.php index 0d81d83c..e6368b24 100644 --- a/app/Controller/SwimlaneController.php +++ b/app/Controller/SwimlaneController.php @@ -3,8 +3,6 @@ namespace Kanboard\Controller; use Kanboard\Core\Controller\AccessForbiddenException; -use Kanboard\Core\Controller\PageNotFoundException; -use Kanboard\Model\SwimlaneModel; /** * Swimlanes Controller @@ -14,24 +12,6 @@ use Kanboard\Model\SwimlaneModel; */ class SwimlaneController extends BaseController { - /** - * Get the swimlane (common method between actions) - * - * @access private - * @return array - * @throws PageNotFoundException - */ - private function getSwimlane() - { - $swimlane = $this->swimlaneModel->getById($this->request->getIntegerParam('swimlane_id')); - - if (empty($swimlane)) { - throw new PageNotFoundException(); - } - - return $swimlane; - } - /** * List of swimlanes for a given project * @@ -78,6 +58,8 @@ class SwimlaneController extends BaseController { $project = $this->getProject(); $values = $this->request->getValues(); + $values['project_id'] = $project['id']; + list($valid, $errors) = $this->swimlaneValidator->validateCreation($values); if ($valid) { @@ -104,7 +86,7 @@ class SwimlaneController extends BaseController public function edit(array $values = array(), array $errors = array()) { $project = $this->getProject(); - $swimlane = $this->getSwimlane(); + $swimlane = $this->getSwimlane($project); $this->response->html($this->helper->layout->project('swimlane/edit', array( 'values' => empty($values) ? $swimlane : $values, @@ -121,8 +103,11 @@ class SwimlaneController extends BaseController public function update() { $project = $this->getProject(); - + $swimlane = $this->getSwimlane($project); $values = $this->request->getValues(); + $values['project_id'] = $project['id']; + $values['id'] = $swimlane['id']; + list($valid, $errors) = $this->swimlaneValidator->validateModification($values); if ($valid) { @@ -145,7 +130,7 @@ class SwimlaneController extends BaseController public function confirm() { $project = $this->getProject(); - $swimlane = $this->getSwimlane(); + $swimlane = $this->getSwimlane($project); $this->response->html($this->helper->layout->project('swimlane/remove', array( 'project' => $project, @@ -162,9 +147,9 @@ class SwimlaneController extends BaseController { $this->checkCSRFParam(); $project = $this->getProject(); - $swimlane_id = $this->request->getIntegerParam('swimlane_id'); + $swimlane = $this->getSwimlane($project); - if ($this->swimlaneModel->remove($project['id'], $swimlane_id)) { + if ($this->swimlaneModel->remove($project['id'], $swimlane['id'])) { $this->flash->success(t('Swimlane removed successfully.')); } else { $this->flash->failure(t('Unable to remove this swimlane.')); @@ -182,9 +167,9 @@ class SwimlaneController extends BaseController { $this->checkCSRFParam(); $project = $this->getProject(); - $swimlane_id = $this->request->getIntegerParam('swimlane_id'); + $swimlane = $this->getSwimlane($project); - if ($this->swimlaneModel->disable($project['id'], $swimlane_id)) { + if ($this->swimlaneModel->disable($project['id'], $swimlane['id'])) { $this->flash->success(t('Swimlane updated successfully.')); } else { $this->flash->failure(t('Unable to update this swimlane.')); @@ -202,9 +187,9 @@ class SwimlaneController extends BaseController { $this->checkCSRFParam(); $project = $this->getProject(); - $swimlane_id = $this->request->getIntegerParam('swimlane_id'); + $swimlane = $this->getSwimlane($project); - if ($this->swimlaneModel->enable($project['id'], $swimlane_id)) { + if ($this->swimlaneModel->enable($project['id'], $swimlane['id'])) { $this->flash->success(t('Swimlane updated successfully.')); } else { $this->flash->failure(t('Unable to update this swimlane.')); -- cgit v1.2.3