AS1024
/
Kanboard-Prod
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Make sure people do not access to files of other projects

This commit is contained in:
Frederic Guillot 2017-09-27 21:58:16 -07:00
parent ac795d9a58
commit 7100f6de8a
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
app/Controller/BaseController.php
View File

@ -74,13 +74,14 @@ abstract class BaseController extends Base
{
$task_id = $this->request->getIntegerParam('task_id');
$file_id = $this->request->getIntegerParam('file_id');
$project_id = $this->request->getIntegerParam('project_id');
$model = 'projectFileModel';
if ($task_id > 0) {
$model = 'taskFileModel';
$project_id = $this->taskFinderModel->getProjectId($task_id);
$task_project_id = $this->taskFinderModel->getProjectId($task_id);
if ($project_id !== $this->request->getIntegerParam('project_id')) {
if ($project_id != $task_project_id) {
throw new AccessForbiddenException();
}
}
@ -91,6 +92,12 @@ abstract class BaseController extends Base
throw new PageNotFoundException();
}
if (isset($file['task_id']) && $file['task_id'] != $task_id) {
throw new AccessForbiddenException();
} else if (isset($file['project_id']) && $file['project_id'] != $project_id) {
throw new AccessForbiddenException();
}
$file['model'] = $model;
return $file;
}