AS1024/Kanboard-Prod
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Do not expose IDs in forms

Browse Source
This commit is contained in:
Frederic Guillot
2017-09-23 20:56:54 -07:00
parent 074f6c104f
commit 3e0f14ae2b
20 changed files with 112 additions and 120 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
app/Controller/BaseController.php
View File

@@ -138,14 +138,7 @@ abstract class BaseController extends Base
return $user;
}
/**
* Get the current subtask
*
* @access protected
* @return array
* @throws PageNotFoundException
*/
protected function getSubtask()
protected function getSubtask(array $task)
{
$subtask = $this->subtaskModel->getById($this->request->getIntegerParam('subtask_id'));
@@ -153,9 +146,62 @@ abstract class BaseController extends Base
throw new PageNotFoundException();
}
if ($subtask['task_id'] != $task['id']) {
throw new AccessForbiddenException();
}
return $subtask;
}
protected function getComment(array $task)
{
$comment = $this->commentModel->getById($this->request->getIntegerParam('comment_id'));
if (empty($comment)) {
throw new PageNotFoundException();
}
if (! $this->userSession->isAdmin() && $comment['user_id'] != $this->userSession->getId()) {
throw new AccessForbiddenException();
}
if ($comment['task_id'] != $task['id']) {
throw new AccessForbiddenException();
}
return $comment;
}
protected function getExternalTaskLink(array $task)
{
$link = $this->taskExternalLinkModel->getById($this->request->getIntegerParam('link_id'));
if (empty($link)) {
throw new PageNotFoundException();
}
if ($link['task_id'] != $task['id']) {
throw new AccessForbiddenException();
}
return $link;
}
protected function getInternalTaskLink(array $task)
{
$link = $this->taskLinkModel->getById($this->request->getIntegerParam('link_id'));
if (empty($link)) {
throw new PageNotFoundException();
}
if ($link['task_id'] != $task['id']) {
throw new AccessForbiddenException();
}
return $link;
}
protected function getColumn(array $project)
{
$column = $this->columnModel->getById($this->request->getIntegerParam('column_id'));