AS1024
/
Kanboard-Prod
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Do not expose IDs in forms

This commit is contained in:
Frederic Guillot 2017-09-23 20:56:54 -07:00
parent 074f6c104f
commit 3e0f14ae2b
20 changed files with 112 additions and 120 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
app/Controller/BaseController.php
View File

@ -138,14 +138,7 @@ abstract class BaseController extends Base
return $user;
}
/**
* Get the current subtask
*
* @access protected
* @return array
* @throws PageNotFoundException
*/
protected function getSubtask()
protected function getSubtask(array $task)
{
$subtask = $this->subtaskModel->getById($this->request->getIntegerParam('subtask_id'));
@ -153,9 +146,62 @@ abstract class BaseController extends Base
throw new PageNotFoundException();
}
if ($subtask['task_id'] != $task['id']) {
throw new AccessForbiddenException();
}
return $subtask;
}
protected function getComment(array $task)
{
$comment = $this->commentModel->getById($this->request->getIntegerParam('comment_id'));
if (empty($comment)) {
throw new PageNotFoundException();
}
if (! $this->userSession->isAdmin() && $comment['user_id'] != $this->userSession->getId()) {
throw new AccessForbiddenException();
}
if ($comment['task_id'] != $task['id']) {
throw new AccessForbiddenException();
}
return $comment;
}
protected function getExternalTaskLink(array $task)
{
$link = $this->taskExternalLinkModel->getById($this->request->getIntegerParam('link_id'));
if (empty($link)) {
throw new PageNotFoundException();
}
if ($link['task_id'] != $task['id']) {
throw new AccessForbiddenException();
}
return $link;
}
protected function getInternalTaskLink(array $task)
{
$link = $this->taskLinkModel->getById($this->request->getIntegerParam('link_id'));
if (empty($link)) {
throw new PageNotFoundException();
}
if ($link['task_id'] != $task['id']) {
throw new AccessForbiddenException();
}
return $link;
}
protected function getColumn(array $project)
{
$column = $this->columnModel->getById($this->request->getIntegerParam('column_id'));

43
app/Controller/CommentController.php
View File

@ -13,29 +13,6 @@ use Kanboard\Core\Controller\PageNotFoundException;
*/
class CommentController extends BaseController
{
/**
* Get the current comment
*
* @access protected
* @return array
* @throws PageNotFoundException
* @throws AccessForbiddenException
*/
protected function getComment()
{
$comment = $this->commentModel->getById($this->request->getIntegerParam('comment_id'));
if (empty($comment)) {
throw new PageNotFoundException();
}
if (! $this->userSession->isAdmin() && $comment['user_id'] != $this->userSession->getId()) {
throw new AccessForbiddenException();
}
return $comment;
}
/**
* Add comment form
*
@ -49,14 +26,6 @@ class CommentController extends BaseController
{
$project = $this->getProject();
$task = $this->getTask();
if (empty($values)) {
$values = array(
'user_id' => $this->userSession->getId(),
'task_id' => $task['id'],
);
}
$values['project_id'] = $task['project_id'];
$this->response->html($this->helper->layout->task('comment/create', array(
@ -106,7 +75,7 @@ class CommentController extends BaseController
public function edit(array $values = array(), array $errors = array())
{
$task = $this->getTask();
$comment = $this->getComment();
$comment = $this->getComment($task);
if (empty($values)) {
$values = $comment;
@ -130,9 +99,13 @@ class CommentController extends BaseController
public function update()
{
$task = $this->getTask();
$this->getComment();
$comment = $this->getComment($task);
$values = $this->request->getValues();
$values['id'] = $comment['id'];
$values['task_id'] = $task['id'];
$values['user_id'] = $comment['user_id'];
list($valid, $errors) = $this->commentValidator->validateModification($values);
if ($valid) {
@ -157,7 +130,7 @@ class CommentController extends BaseController
public function confirm()
{
$task = $this->getTask();
$comment = $this->getComment();
$comment = $this->getComment($task);
$this->response->html($this->template->render('comment/remove', array(
'comment' => $comment,
@ -175,7 +148,7 @@ class CommentController extends BaseController
{
$this->checkCSRFParam();
$task = $this->getTask();
$comment = $this->getComment();
$comment = $this->getComment($task);
if ($this->commentModel->remove($comment['id'])) {
$this->flash->success(t('Comment removed successfully.'));

12
app/Controller/SubtaskController.php
View File

@ -66,6 +66,7 @@ class SubtaskController extends BaseController
{
$task = $this->getTask();
$values = $this->request->getValues();
$values['task_id'] = $task['id'];
list($valid, $errors) = $this->subtaskValidator->validateCreation($values);
@ -103,7 +104,7 @@ class SubtaskController extends BaseController
public function edit(array $values = array(), array $errors = array())
{
$task = $this->getTask();
$subtask = $this->getSubtask();
$subtask = $this->getSubtask($task);
$this->response->html($this->template->render('subtask/edit', array(
'values' => empty($values) ? $subtask : $values,
@ -123,9 +124,12 @@ class SubtaskController extends BaseController
public function update()
{
$task = $this->getTask();
$this->getSubtask();
$subtask = $this->getSubtask($task);
$values = $this->request->getValues();
$values['id'] = $subtask['id'];
$values['task_id'] = $task['id'];
list($valid, $errors) = $this->subtaskValidator->validateModification($values);
if ($valid) {
@ -149,7 +153,7 @@ class SubtaskController extends BaseController
public function confirm()
{
$task = $this->getTask();
$subtask = $this->getSubtask();
$subtask = $this->getSubtask($task);
$this->response->html($this->template->render('subtask/remove', array(
'subtask' => $subtask,
@ -166,7 +170,7 @@ class SubtaskController extends BaseController
{
$this->checkCSRFParam();
$task = $this->getTask();
$subtask = $this->getSubtask();
$subtask = $this->getSubtask($task);
if ($this->subtaskModel->remove($subtask['id'])) {
$this->flash->success(t('Sub-task removed successfully.'));

5
app/Controller/SubtaskConverterController.php
View File

@ -13,7 +13,7 @@ class SubtaskConverterController extends BaseController
public function show()
{
$task = $this->getTask();
$subtask = $this->getSubtask();
$subtask = $this->getSubtask($task);
$this->response->html($this->template->render('subtask_converter/show', array(
'subtask' => $subtask,
@ -24,7 +24,8 @@ class SubtaskConverterController extends BaseController
public function save()
{
$project = $this->getProject();
$subtask = $this->getSubtask();
$task = $this->getTask();
$subtask = $this->getSubtask($task);
$task_id = $this->subtaskTaskConversionModel->convertToTask($project['id'], $subtask['id']);

4
app/Controller/SubtaskRestrictionController.php
View File

@ -20,7 +20,7 @@ class SubtaskRestrictionController extends BaseController
public function show()
{
$task = $this->getTask();
$subtask = $this->getSubtask();
$subtask = $this->getSubtask($task);
$this->response->html($this->template->render('subtask_restriction/show', array(
'status_list' => array(
@ -41,7 +41,7 @@ class SubtaskRestrictionController extends BaseController
public function save()
{
$task = $this->getTask();
$subtask = $this->getSubtask();
$subtask = $this->getSubtask($task);
$values = $this->request->getValues();
// Change status of the previous "in progress" subtask

10
app/Controller/SubtaskStatusController.php
View File

@ -18,7 +18,7 @@ class SubtaskStatusController extends BaseController
public function change()
{
$task = $this->getTask();
$subtask = $this->getSubtask();
$subtask = $this->getSubtask($task);
$fragment = $this->request->getStringParam('fragment');
$status = $this->subtaskStatusModel->toggleStatus($subtask['id']);
@ -43,19 +43,19 @@ class SubtaskStatusController extends BaseController
public function timer()
{
$task = $this->getTask();
$subtaskId = $this->request->getIntegerParam('subtask_id');
$subtask = $this->getSubtask($task);
$timer = $this->request->getStringParam('timer');
if ($timer === 'start') {
$this->subtaskTimeTrackingModel->logStartTime($subtaskId, $this->userSession->getId());
$this->subtaskTimeTrackingModel->logStartTime($subtask['id'], $this->userSession->getId());
} elseif ($timer === 'stop') {
$this->subtaskTimeTrackingModel->logEndTime($subtaskId, $this->userSession->getId());
$this->subtaskTimeTrackingModel->logEndTime($subtask['id'], $this->userSession->getId());
$this->subtaskTimeTrackingModel->updateTaskTimeTracking($task['id']);
}
$this->response->html($this->template->render('subtask/timer', array(
'task' => $task,
'subtask' => $this->subtaskModel->getByIdWithDetails($subtaskId),
'subtask' => $this->subtaskModel->getByIdWithDetails($subtask['id']),
)));
}

37
app/Controller/TaskExternalLinkController.php
View File

@ -74,6 +74,8 @@ class TaskExternalLinkController extends BaseController
{
$task = $this->getTask();
$values = $this->request->getValues();
$values['task_id'] = $task['id'];
list($valid, $errors) = $this->externalLinkValidator->validateCreation($values);
if ($valid) {
@ -108,22 +110,14 @@ class TaskExternalLinkController extends BaseController
public function edit(array $values = array(), array $errors = array())
{
$task = $this->getTask();
$link_id = $this->request->getIntegerParam('link_id');
if ($link_id > 0) {
$values = $this->taskExternalLinkModel->getById($link_id);
}
if (empty($values)) {
throw new PageNotFoundException();
}
$provider = $this->externalLinkManager->getProvider($values['link_type']);
$link = $this->getExternalTaskLink($task);
$provider = $this->externalLinkManager->getProvider($link['link_type']);
$this->response->html($this->template->render('task_external_link/edit', array(
'values' => $values,
'errors' => $errors,
'task' => $task,
'values' => empty($values) ? $link : $values,
'errors' => $errors,
'task' => $task,
'link' => $link,
'dependencies' => $provider->getDependencies(),
)));
}
@ -136,7 +130,12 @@ class TaskExternalLinkController extends BaseController
public function update()
{
$task = $this->getTask();
$link = $this->getExternalTaskLink($task);
$values = $this->request->getValues();
$values['id'] = $link['id'];
$values['task_id'] = $link['task_id'];
list($valid, $errors) = $this->externalLinkValidator->validateModification($values);
if ($valid && $this->taskExternalLinkModel->update($values)) {
@ -155,12 +154,7 @@ class TaskExternalLinkController extends BaseController
public function confirm()
{
$task = $this->getTask();
$link_id = $this->request->getIntegerParam('link_id');
$link = $this->taskExternalLinkModel->getById($link_id);
if (empty($link)) {
throw new PageNotFoundException();
}
$link = $this->getExternalTaskLink($task);
$this->response->html($this->template->render('task_external_link/remove', array(
'link' => $link,
@ -177,8 +171,9 @@ class TaskExternalLinkController extends BaseController
{
$this->checkCSRFParam();
$task = $this->getTask();
$link = $this->getExternalTaskLink($task);
if ($this->taskExternalLinkModel->remove($this->request->getIntegerParam('link_id'))) {
if ($this->taskExternalLinkModel->remove($link['id'])) {
$this->flash->success(t('Link removed successfully.'));
} else {
$this->flash->failure(t('Unable to remove this link.'));

34
app/Controller/TaskInternalLinkController.php
View File

@ -13,24 +13,6 @@ use Kanboard\Core\Controller\PageNotFoundException;
*/
class TaskInternalLinkController extends BaseController
{
/**
* Get the current link
*
* @access private
* @return array
* @throws PageNotFoundException
*/
private function getTaskLink()
{
$link = $this->taskLinkModel->getById($this->request->getIntegerParam('link_id'));
if (empty($link)) {
throw new PageNotFoundException();
}
return $link;
}
/**
* Creation form
*
@ -45,9 +27,7 @@ class TaskInternalLinkController extends BaseController
$task = $this->getTask();
if (empty($values)) {
$values = array(
'another_tasklink' => $this->request->getIntegerParam('another_tasklink', 0)
);
$values['another_tasklink'] = $this->request->getIntegerParam('another_tasklink', 0);
$values = $this->hook->merge('controller:tasklink:form:default', $values, array('default_values' => $values));
}
@ -68,6 +48,7 @@ class TaskInternalLinkController extends BaseController
{
$task = $this->getTask();
$values = $this->request->getValues();
$values['task_id'] = $task['id'];
list($valid, $errors) = $this->taskLinkValidator->validateCreation($values);
@ -106,7 +87,7 @@ class TaskInternalLinkController extends BaseController
public function edit(array $values = array(), array $errors = array())
{
$task = $this->getTask();
$task_link = $this->getTaskLink();
$task_link = $this->getInternalTaskLink($task);
if (empty($values)) {
$opposite_task = $this->taskFinderModel->getById($task_link['opposite_task_id']);
@ -131,7 +112,11 @@ class TaskInternalLinkController extends BaseController
public function update()
{
$task = $this->getTask();
$task_link = $this->getInternalTaskLink($task);
$values = $this->request->getValues();
$values['task_id'] = $task['id'];
$values['id'] = $task_link['id'];
list($valid, $errors) = $this->taskLinkValidator->validateModification($values);
@ -155,7 +140,7 @@ class TaskInternalLinkController extends BaseController
public function confirm()
{
$task = $this->getTask();
$link = $this->getTaskLink();
$link = $this->getInternalTaskLink($task);
$this->response->html($this->template->render('task_internal_link/remove', array(
'link' => $link,
@ -172,8 +157,9 @@ class TaskInternalLinkController extends BaseController
{
$this->checkCSRFParam();
$task = $this->getTask();
$link = $this->getInternalTaskLink($task);
if ($this->taskLinkModel->remove($this->request->getIntegerParam('link_id'))) {
if ($this->taskLinkModel->remove($link['id'])) {
$this->flash->success(t('Link removed successfully.'));
} else {
$this->flash->failure(t('Unable to remove this link.'));

2
app/Controller/TaskModificationController.php
View File

@ -98,6 +98,8 @@ class TaskModificationController extends BaseController
{
$task = $this->getTask();
$values = $this->request->getValues();
$values['id'] = $task['id'];
$values['project_id'] = $task['project_id'];
list($valid, $errors) = $this->taskValidator->validateModification($values);

1
app/Controller/TaskRecurrenceController.php
View File

@ -47,6 +47,7 @@ class TaskRecurrenceController extends BaseController
{
$task = $this->getTask();
$values = $this->request->getValues();
$values['id'] = $task['id'];
list($valid, $errors) = $this->taskValidator->validateEditRecurrence($values);

2
app/Template/comment/create.php
View File

@ -8,8 +8,6 @@
</div>
<form method="post" action="<?= $this->url->href('CommentController', 'save', array('task_id' => $task['id'], 'project_id' => $task['project_id'])) ?>" autocomplete="off">
<?= $this->form->csrf() ?>
<?= $this->form->hidden('task_id', $values) ?>
<?= $this->form->hidden('user_id', $values) ?>
<?= $this->form->textEditor('comment', $values, $errors, array('autofocus' => true, 'required' => true)) ?>

3
app/Template/comment/edit.php
View File

@ -4,9 +4,6 @@
<form method="post" action="<?= $this->url->href('CommentController', 'update', array('task_id' => $task['id'], 'project_id' => $task['project_id'], 'comment_id' => $comment['id'])) ?>" autocomplete="off">
<?= $this->form->csrf() ?>
<?= $this->form->hidden('id', $values) ?>
<?= $this->form->hidden('task_id', $values) ?>
<?= $this->form->hidden('user_id', $values) ?>
<?= $this->form->textEditor('comment', $values, $errors, array('autofocus' => true, 'required' => true)) ?>

3
app/Template/subtask/create.php
View File

@ -3,9 +3,8 @@
</div>
<form method="post" action="<?= $this->url->href('SubtaskController', 'save', array('task_id' => $task['id'], 'project_id' => $task['project_id'])) ?>" autocomplete="off">
<?= $this->form->csrf() ?>
<?= $this->form->hidden('task_id', $values) ?>
<?= $this->subtask->renderTitleField($values, $errors, array('autofocus')) ?>
<?= $this->subtask->renderAssigneeField($users_list, $values, $errors) ?>
<?= $this->subtask->renderTimeEstimatedField($values, $errors) ?>

2
app/Template/subtask/edit.php
View File

@ -4,8 +4,6 @@
<form method="post" action="<?= $this->url->href('SubtaskController', 'update', array('task_id' => $task['id'], 'project_id' => $task['project_id'], 'subtask_id' => $subtask['id'])) ?>" autocomplete="off">
<?= $this->form->csrf() ?>
<?= $this->form->hidden('id', $values) ?>
<?= $this->form->hidden('task_id', $values) ?>
<?= $this->subtask->renderTitleField($values, $errors, array('autofocus')) ?>
<?= $this->subtask->renderAssigneeField($users_list, $values, $errors) ?>

2
app/Template/task_external_link/edit.php
View File

@ -2,7 +2,7 @@
<h2><?= t('Edit external link') ?></h2>
</div>
<form action="<?= $this->url->href('TaskExternalLinkController', 'update', array('task_id' => $task['id'], 'project_id' => $task['project_id'])) ?>" method="post" autocomplete="off">
<form action="<?= $this->url->href('TaskExternalLinkController', 'update', array('task_id' => $task['id'], 'project_id' => $task['project_id'], 'link_id' => $link['id'])) ?>" method="post" autocomplete="off">
<?= $this->render('task_external_link/form', array('task' => $task, 'dependencies' => $dependencies, 'values' => $values, 'errors' => $errors)) ?>
<?= $this->modal->submitButtons() ?>
</form>

1
app/Template/task_external_link/find.php
View File

@ -4,7 +4,6 @@
<form action="<?= $this->url->href('TaskExternalLinkController', 'create', array('task_id' => $task['id'], 'project_id' => $task['project_id'])) ?>" method="post" autocomplete="off">
<?= $this->form->csrf() ?>
<?= $this->form->hidden('task_id', array('task_id' => $task['id'])) ?>
<?= $this->form->label(t('External link'), 'text') ?>
<?= $this->form->text(

2
app/Template/task_external_link/form.php
View File

@ -1,6 +1,4 @@
<?= $this->form->csrf() ?>
<?= $this->form->hidden('task_id', array('task_id' => $task['id'])) ?>
<?= $this->form->hidden('id', $values) ?>
<?= $this->form->hidden('link_type', $values) ?>
<?= $this->form->label(t('URL'), 'url') ?>

1
app/Template/task_internal_link/create.php
View File

@ -5,7 +5,6 @@
<form action="<?= $this->url->href('TaskInternalLinkController', 'save', array('task_id' => $task['id'], 'project_id' => $task['project_id'])) ?>" method="post" autocomplete="off">
<?= $this->form->csrf() ?>
<?= $this->form->hidden('task_id', array('task_id' => $task['id'])) ?>
<?= $this->form->hidden('opposite_task_id', $values) ?>
<?= $this->form->label(t('Label'), 'link_id') ?>

4
app/Template/task_internal_link/edit.php
View File

@ -3,10 +3,8 @@
</div>
<form action="<?= $this->url->href('TaskInternalLinkController', 'update', array('task_id' => $task['id'], 'project_id' => $task['project_id'], 'link_id' => $task_link['id'])) ?>" method="post" autocomplete="off">
<?= $this->form->csrf() ?>
<?= $this->form->hidden('id', $values) ?>
<?= $this->form->hidden('task_id', $values) ?>
<?= $this->form->hidden('opposite_task_id', $values) ?>
<?= $this->form->label(t('Label'), 'link_id') ?>

2
app/Template/task_modification/show.php
View File

@ -3,8 +3,6 @@
</div>
<form method="post" action="<?= $this->url->href('TaskModificationController', 'update', array('task_id' => $task['id'], 'project_id' => $task['project_id'])) ?>" autocomplete="off">
<?= $this->form->csrf() ?>
<?= $this->form->hidden('id', $values) ?>
<?= $this->form->hidden('project_id', $values) ?>
<div class="task-form-container">
<div class="task-form-main-column">