From 7100f6de8a1f566e260b3e65312767e4cde112b1 Mon Sep 17 00:00:00 2001 From: Frederic Guillot Date: Wed, 27 Sep 2017 21:58:16 -0700 Subject: Make sure people do not access to files of other projects --- app/Controller/BaseController.php | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'app') diff --git a/app/Controller/BaseController.php b/app/Controller/BaseController.php index 41fcef1c..43ecfaab 100644 --- a/app/Controller/BaseController.php +++ b/app/Controller/BaseController.php @@ -74,13 +74,14 @@ abstract class BaseController extends Base { $task_id = $this->request->getIntegerParam('task_id'); $file_id = $this->request->getIntegerParam('file_id'); + $project_id = $this->request->getIntegerParam('project_id'); $model = 'projectFileModel'; if ($task_id > 0) { $model = 'taskFileModel'; - $project_id = $this->taskFinderModel->getProjectId($task_id); + $task_project_id = $this->taskFinderModel->getProjectId($task_id); - if ($project_id !== $this->request->getIntegerParam('project_id')) { + if ($project_id != $task_project_id) { throw new AccessForbiddenException(); } } @@ -91,6 +92,12 @@ abstract class BaseController extends Base throw new PageNotFoundException(); } + if (isset($file['task_id']) && $file['task_id'] != $task_id) { + throw new AccessForbiddenException(); + } else if (isset($file['project_id']) && $file['project_id'] != $project_id) { + throw new AccessForbiddenException(); + } + $file['model'] = $model; return $file; } -- cgit v1.2.3