AS1024
/
Kanboard-Prod
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Avoid people to alter other projects by changing form data

This commit is contained in:
Frederic Guillot 2017-09-23 18:48:45 -07:00
parent 8ecaa60340
commit 074f6c104f
26 changed files with 154 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog
View File

@ -5,6 +5,10 @@ New features:
* Vietnamese translation
Security Issues:
* Avoid people to alter other project resources by changing form data
Version 1.0.46 (August 13, 2017)
--------------------------------

5
app/Controller/ActionController.php
View File

@ -46,9 +46,10 @@ class ActionController extends BaseController
public function confirm()
{
$project = $this->getProject();
$action = $this->getAction($project);
$this->response->html($this->helper->layout->project('action/remove', array(
'action' => $this->actionModel->getById($this->request->getIntegerParam('action_id')),
'action' => $action,
'available_events' => $this->eventManager->getAll(),
'available_actions' => $this->actionManager->getAvailableActions(),
'project' => $project,
@ -65,7 +66,7 @@ class ActionController extends BaseController
{
$this->checkCSRFParam();
$project = $this->getProject();
$action = $this->actionModel->getById($this->request->getIntegerParam('action_id'));
$action = $this->getAction($project);
if (! empty($action) && $this->actionModel->remove($action['id'])) {
$this->flash->success(t('Action removed successfully.'));

7
app/Controller/ActionCreationController.php
View File

@ -35,8 +35,9 @@ class ActionCreationController extends BaseController
{
$project = $this->getProject();
$values = $this->request->getValues();
$values['project_id'] = $project['id'];
if (empty($values['action_name']) || empty($values['project_id'])) {
if (empty($values['action_name'])) {
return $this->create();
}
@ -57,8 +58,9 @@ class ActionCreationController extends BaseController
{
$project = $this->getProject();
$values = $this->request->getValues();
$values['project_id'] = $project['id'];
if (empty($values['action_name']) || empty($values['project_id']) || empty($values['event_name'])) {
if (empty($values['action_name']) || empty($values['event_name'])) {
$this->create();
return;
}
@ -109,6 +111,7 @@ class ActionCreationController extends BaseController
*/
private function doCreation(array $project, array $values)
{
$values['project_id'] = $project['id'];
list($valid, ) = $this->actionValidator->validateCreation($values);
if ($valid) {

90
app/Controller/BaseController.php
View File

@ -155,4 +155,94 @@ abstract class BaseController extends Base
return $subtask;
}
protected function getColumn(array $project)
{
$column = $this->columnModel->getById($this->request->getIntegerParam('column_id'));
if (empty($column)) {
throw new PageNotFoundException();
}
if ($column['project_id'] != $project['id']) {
throw new AccessForbiddenException();
}
return $column;
}
protected function getSwimlane(array $project)
{
$swimlane = $this->swimlaneModel->getById($this->request->getIntegerParam('swimlane_id'));
if (empty($swimlane)) {
throw new PageNotFoundException();
}
if ($swimlane['project_id'] != $project['id']) {
throw new AccessForbiddenException();
}
return $swimlane;
}
protected function getCategory(array $project)
{
$category = $this->categoryModel->getById($this->request->getIntegerParam('category_id'));
if (empty($category)) {
throw new PageNotFoundException();
}
if ($category['project_id'] != $project['id']) {
throw new AccessForbiddenException();
}
return $category;
}
protected function getProjectTag(array $project)
{
$tag = $this->tagModel->getById($this->request->getIntegerParam('tag_id'));
if (empty($tag)) {
throw new PageNotFoundException();
}
if ($tag['project_id'] != $project['id']) {
throw new AccessForbiddenException();
}
return $tag;
}
protected function getAction(array $project)
{
$action = $this->actionModel->getById($this->request->getIntegerParam('action_id'));
if (empty($action)) {
throw new PageNotFoundException();
}
if ($action['project_id'] != $project['id']) {
throw new AccessForbiddenException();
}
return $action;
}
protected function getCustomFilter(array $project)
{
$filter = $this->customFilterModel->getById($this->request->getIntegerParam('filter_id'));
if (empty($filter)) {
throw new PageNotFoundException();
}
if ($filter['project_id'] != $project['id']) {
throw new AccessForbiddenException();
}
return $filter;
}
}

31
app/Controller/CategoryController.php
View File

@ -12,24 +12,6 @@ use Kanboard\Core\Controller\PageNotFoundException;
*/
class CategoryController extends BaseController
{
/**
* Get the category (common method between actions)
*
* @access private
* @return array
* @throws PageNotFoundException
*/
private function getCategory()
{
$category = $this->categoryModel->getById($this->request->getIntegerParam('category_id'));
if (empty($category)) {
throw new PageNotFoundException();
}
return $category;
}
/**
* List of categories for a given project
*
@ -72,8 +54,9 @@ class CategoryController extends BaseController
public function save()
{
$project = $this->getProject();
$values = $this->request->getValues();
$values['project_id'] = $project['id'];
list($valid, $errors) = $this->categoryValidator->validateCreation($values);
if ($valid) {
@ -100,7 +83,7 @@ class CategoryController extends BaseController
public function edit(array $values = array(), array $errors = array())
{
$project = $this->getProject();
$category = $this->getCategory();
$category = $this->getCategory($project);
$this->response->html($this->template->render('category/edit', array(
'values' => empty($values) ? $category : $values,
@ -117,8 +100,12 @@ class CategoryController extends BaseController
public function update()
{
$project = $this->getProject();
$category = $this->getCategory($project);
$values = $this->request->getValues();
$values['project_id'] = $project['id'];
$values['id'] = $category['id'];
list($valid, $errors) = $this->categoryValidator->validateModification($values);
if ($valid) {
@ -141,7 +128,7 @@ class CategoryController extends BaseController
public function confirm()
{
$project = $this->getProject();
$category = $this->getCategory();
$category = $this->getCategory($project);
$this->response->html($this->helper->layout->project('category/remove', array(
'project' => $project,
@ -158,7 +145,7 @@ class CategoryController extends BaseController
{
$this->checkCSRFParam();
$project = $this->getProject();
$category = $this->getCategory();
$category = $this->getCategory($project);
if ($this->categoryModel->remove($category['id'])) {
$this->flash->success(t('Category removed successfully.'));

16
app/Controller/ColumnController.php
View File

@ -61,6 +61,7 @@ class ColumnController extends BaseController
{
$project = $this->getProject();
$values = $this->request->getValues() + array('hide_in_dashboard' => 0);
$values['project_id'] = $project['id'];
list($valid, $errors) = $this->columnValidator->validateCreation($values);
@ -95,7 +96,7 @@ class ColumnController extends BaseController
public function edit(array $values = array(), array $errors = array())
{
$project = $this->getProject();
$column = $this->columnModel->getById($this->request->getIntegerParam('column_id'));
$column = $this->getColumn($project);
$this->response->html($this->helper->layout->project('column/edit', array(
'errors' => $errors,
@ -113,7 +114,11 @@ class ColumnController extends BaseController
public function update()
{
$project = $this->getProject();
$column = $this->getColumn($project);
$values = $this->request->getValues() + array('hide_in_dashboard' => 0);
$values['project_id'] = $project['id'];
$values['id'] = $column['id'];
list($valid, $errors) = $this->columnValidator->validateModification($values);
@ -164,9 +169,10 @@ class ColumnController extends BaseController
public function confirm()
{
$project = $this->getProject();
$column = $this->getColumn($project);
$this->response->html($this->helper->layout->project('column/remove', array(
'column' => $this->columnModel->getById($this->request->getIntegerParam('column_id')),
'column' => $column,
'project' => $project,
)));
}
@ -178,11 +184,11 @@ class ColumnController extends BaseController
*/
public function remove()
{
$project = $this->getProject();
$this->checkCSRFParam();
$column_id = $this->request->getIntegerParam('column_id');
$project = $this->getProject();
$column = $this->getColumn($project);
if ($this->columnModel->remove($column_id)) {
if ($this->columnModel->remove($column['id'])) {
$this->flash->success(t('Column removed successfully.'));
} else {
$this->flash->failure(t('Unable to remove this column.'));

7
app/Controller/CustomFilterController.php
View File

@ -59,6 +59,7 @@ class CustomFilterController extends BaseController
$project = $this->getProject();
$values = $this->request->getValues();
$values['project_id'] = $project['id'];
$values['user_id'] = $this->userSession->getId();
list($valid, $errors) = $this->customFilterValidator->validateCreation($values);
@ -84,7 +85,7 @@ class CustomFilterController extends BaseController
public function confirm()
{
$project = $this->getProject();
$filter = $this->customFilterModel->getById($this->request->getIntegerParam('filter_id'));
$filter = $this->getCustomFilter($project);
$this->response->html($this->helper->layout->project('custom_filter/remove', array(
'project' => $project,
@ -102,7 +103,7 @@ class CustomFilterController extends BaseController
{
$this->checkCSRFParam();
$project = $this->getProject();
$filter = $this->customFilterModel->getById($this->request->getIntegerParam('filter_id'));
$filter = $this->getCustomFilter($project);
$this->checkPermission($project, $filter);
@ -153,6 +154,8 @@ class CustomFilterController extends BaseController
$this->checkPermission($project, $filter);
$values = $this->request->getValues();
$values['id'] = $filter['id'];
$values['project_id'] = $project['id'];
if (! isset($values['is_shared'])) {
$values += array('is_shared' => 0);

2
app/Controller/ProjectEditController.php
View File

@ -65,6 +65,8 @@ class ProjectEditController extends BaseController
*/
private function prepareValues(array $project, array $values)
{
$values['id'] = $project['id'];
if (isset($values['is_private'])) {
if (! $this->helper->user->hasProjectAccess('ProjectCreationController', 'create', $project['id'])) {
unset($values['is_private']);

33
app/Controller/ProjectTagController.php
View File

@ -2,8 +2,6 @@
namespace Kanboard\Controller;
use Kanboard\Core\Controller\AccessForbiddenException;
/**
* Class ProjectTagController
*
@ -27,10 +25,6 @@ class ProjectTagController extends BaseController
{
$project = $this->getProject();
if (empty($values)) {
$values['project_id'] = $project['id'];
}
$this->response->html($this->template->render('project_tag/create', array(
'project' => $project,
'values' => $values,
@ -42,6 +36,8 @@ class ProjectTagController extends BaseController
{
$project = $this->getProject();
$values = $this->request->getValues();
$values['project_id'] = $project['id'];
list($valid, $errors) = $this->tagValidator->validateCreation($values);
if ($valid) {
@ -60,8 +56,7 @@ class ProjectTagController extends BaseController
public function edit(array $values = array(), array $errors = array())
{
$project = $this->getProject();
$tag_id = $this->request->getIntegerParam('tag_id');
$tag = $this->tagModel->getById($tag_id);
$tag = $this->getProjectTag($project);
if (empty($values)) {
$values = $tag;
@ -78,14 +73,12 @@ class ProjectTagController extends BaseController
public function update()
{
$project = $this->getProject();
$tag_id = $this->request->getIntegerParam('tag_id');
$tag = $this->tagModel->getById($tag_id);
$tag = $this->getProjectTag($project);
$values = $this->request->getValues();
list($valid, $errors) = $this->tagValidator->validateModification($values);
$values['project_id'] = $project['id'];
$values['id'] = $tag['id'];
if ($tag['project_id'] != $project['id']) {
throw new AccessForbiddenException();
}
list($valid, $errors) = $this->tagValidator->validateModification($values);
if ($valid) {
if ($this->tagModel->update($values['id'], $values['name'])) {
@ -103,8 +96,7 @@ class ProjectTagController extends BaseController
public function confirm()
{
$project = $this->getProject();
$tag_id = $this->request->getIntegerParam('tag_id');
$tag = $this->tagModel->getById($tag_id);
$tag = $this->getProjectTag($project);
$this->response->html($this->template->render('project_tag/remove', array(
'tag' => $tag,
@ -116,14 +108,9 @@ class ProjectTagController extends BaseController
{
$this->checkCSRFParam();
$project = $this->getProject();
$tag_id = $this->request->getIntegerParam('tag_id');
$tag = $this->tagModel->getById($tag_id);
$tag = $this->getProjectTag($project);
if ($tag['project_id'] != $project['id']) {
throw new AccessForbiddenException();
}
if ($this->tagModel->remove($tag_id)) {
if ($this->tagModel->remove($tag['id'])) {
$this->flash->success(t('Tag removed successfully.'));
} else {
$this->flash->failure(t('Unable to remove this tag.'));

43
app/Controller/SwimlaneController.php
View File

@ -3,8 +3,6 @@
namespace Kanboard\Controller;
use Kanboard\Core\Controller\AccessForbiddenException;
use Kanboard\Core\Controller\PageNotFoundException;
use Kanboard\Model\SwimlaneModel;
/**
* Swimlanes Controller
@ -14,24 +12,6 @@ use Kanboard\Model\SwimlaneModel;
*/
class SwimlaneController extends BaseController
{
/**
* Get the swimlane (common method between actions)
*
* @access private
* @return array
* @throws PageNotFoundException
*/
private function getSwimlane()
{
$swimlane = $this->swimlaneModel->getById($this->request->getIntegerParam('swimlane_id'));
if (empty($swimlane)) {
throw new PageNotFoundException();
}
return $swimlane;
}
/**
* List of swimlanes for a given project
*
@ -78,6 +58,8 @@ class SwimlaneController extends BaseController
{
$project = $this->getProject();
$values = $this->request->getValues();
$values['project_id'] = $project['id'];
list($valid, $errors) = $this->swimlaneValidator->validateCreation($values);
if ($valid) {
@ -104,7 +86,7 @@ class SwimlaneController extends BaseController
public function edit(array $values = array(), array $errors = array())
{
$project = $this->getProject();
$swimlane = $this->getSwimlane();
$swimlane = $this->getSwimlane($project);
$this->response->html($this->helper->layout->project('swimlane/edit', array(
'values' => empty($values) ? $swimlane : $values,
@ -121,8 +103,11 @@ class SwimlaneController extends BaseController
public function update()
{
$project = $this->getProject();
$swimlane = $this->getSwimlane($project);
$values = $this->request->getValues();
$values['project_id'] = $project['id'];
$values['id'] = $swimlane['id'];
list($valid, $errors) = $this->swimlaneValidator->validateModification($values);
if ($valid) {
@ -145,7 +130,7 @@ class SwimlaneController extends BaseController
public function confirm()
{
$project = $this->getProject();
$swimlane = $this->getSwimlane();
$swimlane = $this->getSwimlane($project);
$this->response->html($this->helper->layout->project('swimlane/remove', array(
'project' => $project,
@ -162,9 +147,9 @@ class SwimlaneController extends BaseController
{
$this->checkCSRFParam();
$project = $this->getProject();
$swimlane_id = $this->request->getIntegerParam('swimlane_id');
$swimlane = $this->getSwimlane($project);
if ($this->swimlaneModel->remove($project['id'], $swimlane_id)) {
if ($this->swimlaneModel->remove($project['id'], $swimlane['id'])) {
$this->flash->success(t('Swimlane removed successfully.'));
} else {
$this->flash->failure(t('Unable to remove this swimlane.'));
@ -182,9 +167,9 @@ class SwimlaneController extends BaseController
{
$this->checkCSRFParam();
$project = $this->getProject();
$swimlane_id = $this->request->getIntegerParam('swimlane_id');
$swimlane = $this->getSwimlane($project);
if ($this->swimlaneModel->disable($project['id'], $swimlane_id)) {
if ($this->swimlaneModel->disable($project['id'], $swimlane['id'])) {
$this->flash->success(t('Swimlane updated successfully.'));
} else {
$this->flash->failure(t('Unable to update this swimlane.'));
@ -202,9 +187,9 @@ class SwimlaneController extends BaseController
{
$this->checkCSRFParam();
$project = $this->getProject();
$swimlane_id = $this->request->getIntegerParam('swimlane_id');
$swimlane = $this->getSwimlane($project);
if ($this->swimlaneModel->enable($project['id'], $swimlane_id)) {
if ($this->swimlaneModel->enable($project['id'], $swimlane['id'])) {
$this->flash->success(t('Swimlane updated successfully.'));
} else {
$this->flash->failure(t('Unable to update this swimlane.'));

1
app/Controller/TaskCreationController.php
View File

@ -49,6 +49,7 @@ class TaskCreationController extends BaseController
{
$project = $this->getProject();
$values = $this->request->getValues();
$values['project_id'] = $project['id'];
list($valid, $errors) = $this->taskValidator->validateCreation($values);

1
app/Template/action_creation/create.php
View File

@ -3,7 +3,6 @@
</div>
<form method="post" action="<?= $this->url->href('ActionCreationController', 'event', array('project_id' => $project['id'])) ?>">
<?= $this->form->csrf() ?>
<?= $this->form->hidden('project_id', $values) ?>
<?= $this->form->label(t('Action'), 'action_name') ?>
<?= $this->form->select('action_name', $available_actions, $values) ?>

1
app/Template/action_creation/event.php
View File

@ -5,7 +5,6 @@
<form method="post" action="<?= $this->url->href('ActionCreationController', 'params', array('project_id' => $project['id'])) ?>">
<?= $this->form->csrf() ?>
<?= $this->form->hidden('project_id', $values) ?>
<?= $this->form->hidden('action_name', $values) ?>
<?= $this->form->label(t('Action'), 'action_name') ?>

1
app/Template/action_creation/params.php
View File

@ -5,7 +5,6 @@
<form method="post" action="<?= $this->url->href('ActionCreationController', 'save', array('project_id' => $project['id'])) ?>" autocomplete="off">
<?= $this->form->csrf() ?>
<?= $this->form->hidden('project_id', $values) ?>
<?= $this->form->hidden('event_name', $values) ?>
<?= $this->form->hidden('action_name', $values) ?>

1
app/Template/category/create.php
View File

@ -3,7 +3,6 @@
</div>
<form method="post" action="<?= $this->url->href('CategoryController', 'save', array('project_id' => $project['id'])) ?>" autocomplete="off">
<?= $this->form->csrf() ?>
<?= $this->form->hidden('project_id', $values) ?>
<?= $this->form->label(t('Category Name'), 'name') ?>
<?= $this->form->text('name', $values, $errors, array('autofocus', 'required', 'maxlength="50"')) ?>

3
app/Template/category/edit.php
View File

@ -5,9 +5,6 @@
<form method="post" action="<?= $this->url->href('CategoryController', 'update', array('project_id' => $project['id'], 'category_id' => $values['id'])) ?>" autocomplete="off">
<?= $this->form->csrf() ?>
<?= $this->form->hidden('id', $values) ?>
<?= $this->form->hidden('project_id', $values) ?>
<?= $this->form->label(t('Category Name'), 'name') ?>
<?= $this->form->text('name', $values, $errors, array('autofocus', 'required', 'maxlength="50"', 'tabindex="1"')) ?>

2
app/Template/column/create.php
View File

@ -4,8 +4,6 @@
<form method="post" action="<?= $this->url->href('ColumnController', 'save', array('project_id' => $project['id'])) ?>" autocomplete="off">
<?= $this->form->csrf() ?>
<?= $this->form->hidden('project_id', $values) ?>
<?= $this->form->label(t('Title'), 'title') ?>
<?= $this->form->text('title', $values, $errors, array('autofocus', 'required', 'maxlength="50"', 'tabindex="1"')) ?>

3
app/Template/column/edit.php
View File

@ -5,9 +5,6 @@
<form method="post" action="<?= $this->url->href('ColumnController', 'update', array('project_id' => $project['id'], 'column_id' => $column['id'])) ?>" autocomplete="off">
<?= $this->form->csrf() ?>
<?= $this->form->hidden('id', $values) ?>
<?= $this->form->hidden('project_id', $values) ?>
<?= $this->form->label(t('Title'), 'title') ?>
<?= $this->form->text('title', $values, $errors, array('autofocus', 'required', 'maxlength="50"')) ?>

1
app/Template/custom_filter/create.php
View File

@ -3,7 +3,6 @@
</div>
<form method="post" action="<?= $this->url->href('CustomFilterController', 'save', array('project_id' => $project['id'])) ?>" autocomplete="off">
<?= $this->form->csrf() ?>
<?= $this->form->hidden('project_id', $values) ?>
<?= $this->form->label(t('Name'), 'name') ?>
<?= $this->form->text('name', $values, $errors, array('autofocus', 'required', 'maxlength="100"')) ?>

2
app/Template/custom_filter/edit.php
View File

@ -5,9 +5,7 @@
<form method="post" action="<?= $this->url->href('CustomFilterController', 'update', array('project_id' => $filter['project_id'], 'filter_id' => $filter['id'])) ?>" autocomplete="off">
<?= $this->form->csrf() ?>
<?= $this->form->hidden('id', $values) ?>
<?= $this->form->hidden('user_id', $values) ?>
<?= $this->form->hidden('project_id', $values) ?>
<?= $this->form->label(t('Name'), 'name') ?>
<?= $this->form->text('name', $values, $errors, array('autofocus', 'required', 'maxlength="100"')) ?>

1
app/Template/project_edit/show.php
View File

@ -9,7 +9,6 @@
<?php endif ?>
<form method="post" action="<?= $this->url->href('ProjectEditController', 'update', array('project_id' => $project['id'], 'redirect' => 'edit')) ?>" autocomplete="off">
<?= $this->form->csrf() ?>
<?= $this->form->hidden('id', $values) ?>
<fieldset>
<legend><?= t('General') ?></legend>

1
app/Template/project_tag/create.php
View File

@ -3,7 +3,6 @@
</div>
<form method="post" action="<?= $this->url->href('ProjectTagController', 'save', array('project_id' => $project['id'])) ?>" autocomplete="off">
<?= $this->form->csrf() ?>
<?= $this->form->hidden('project_id', $values) ?>
<?= $this->form->label(t('Name'), 'name') ?>
<?= $this->form->text('name', $values, $errors, array('autofocus', 'required', 'maxlength="255"')) ?>

2
app/Template/project_tag/edit.php
View File

@ -3,8 +3,6 @@
</div>
<form method="post" action="<?= $this->url->href('ProjectTagController', 'update', array('tag_id' => $tag['id'], 'project_id' => $project['id'])) ?>" autocomplete="off">
<?= $this->form->csrf() ?>
<?= $this->form->hidden('id', $values) ?>
<?= $this->form->hidden('project_id', $values) ?>
<?= $this->form->label(t('Name'), 'name') ?>
<?= $this->form->text('name', $values, $errors, array('autofocus', 'required', 'maxlength="255"')) ?>

2
app/Template/swimlane/create.php
View File

@ -2,9 +2,7 @@
<h2><?= t('Add a new swimlane') ?></h2>
</div>
<form method="post" action="<?= $this->url->href('SwimlaneController', 'save', array('project_id' => $project['id'])) ?>" autocomplete="off">
<?= $this->form->csrf() ?>
<?= $this->form->hidden('project_id', $values) ?>
<?= $this->form->label(t('Name'), 'name') ?>
<?= $this->form->text('name', $values, $errors, array('autofocus', 'required', 'maxlength="50"', 'tabindex="1"')) ?>

4
app/Template/swimlane/edit.php
View File

@ -3,12 +3,8 @@
</div>
<form method="post" action="<?= $this->url->href('SwimlaneController', 'update', array('project_id' => $project['id'], 'swimlane_id' => $values['id'])) ?>" autocomplete="off">
<?= $this->form->csrf() ?>
<?= $this->form->hidden('id', $values) ?>
<?= $this->form->hidden('project_id', $values) ?>
<?= $this->form->label(t('Name'), 'name') ?>
<?= $this->form->text('name', $values, $errors, array('autofocus', 'required', 'maxlength="50"', 'tabindex="1"')) ?>

1
app/Template/task_creation/show.php
View File

@ -3,7 +3,6 @@
</div>
<form method="post" action="<?= $this->url->href('TaskCreationController', 'save', array('project_id' => $project['id'])) ?>" autocomplete="off">
<?= $this->form->csrf() ?>
<?= $this->form->hidden('project_id', $values) ?>
<div class="task-form-container">
<div class="task-form-main-column">