AS1024/Kanboard-Prod
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Avoid people to alter other projects by changing form data

Browse Source
This commit is contained in:
Frederic Guillot
2017-09-23 18:48:45 -07:00
parent 8ecaa60340
commit 074f6c104f
26 changed files with 154 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
app/Controller/CustomFilterController.php
View File

@@ -59,6 +59,7 @@ class CustomFilterController extends BaseController
$project = $this->getProject();
$values = $this->request->getValues();
$values['project_id'] = $project['id'];
$values['user_id'] = $this->userSession->getId();
list($valid, $errors) = $this->customFilterValidator->validateCreation($values);
@@ -84,7 +85,7 @@ class CustomFilterController extends BaseController
public function confirm()
{
$project = $this->getProject();
$filter = $this->customFilterModel->getById($this->request->getIntegerParam('filter_id'));
$filter = $this->getCustomFilter($project);
$this->response->html($this->helper->layout->project('custom_filter/remove', array(
'project' => $project,
@@ -102,7 +103,7 @@ class CustomFilterController extends BaseController
{
$this->checkCSRFParam();
$project = $this->getProject();
$filter = $this->customFilterModel->getById($this->request->getIntegerParam('filter_id'));
$filter = $this->getCustomFilter($project);
$this->checkPermission($project, $filter);
@@ -153,6 +154,8 @@ class CustomFilterController extends BaseController
$this->checkPermission($project, $filter);
$values = $this->request->getValues();
$values['id'] = $filter['id'];
$values['project_id'] = $project['id'];
if (! isset($values['is_shared'])) {
$values += array('is_shared' => 0);