Add missing permission check when creating/updating internal links

2023-05-29 19:39:28 -07:00 · 2023-05-29 19:39:28 -07:00 · b501ef44bc
parent 05f1d23d82
commit b501ef44bc
2 changed files with 31 additions and 0 deletions
--- a/app/Api/Procedure/TaskLinkProcedure.php
+++ b/app/Api/Procedure/TaskLinkProcedure.php
@ -51,6 +51,15 @@ class TaskLinkProcedure extends BaseProcedure
    public function createTaskLink($task_id, $opposite_task_id, $link_id)
    {
        TaskAuthorization::getInstance($this->container)->check($this->getClassName(), 'createTaskLink', $task_id);
+
+        if ($this->userSession->isLogged()) {
+            $opposite_task = $this->taskFinderModel->getById($opposite_task_id);
+
+            if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) {
+                return false;
+            }
+        }
+
        return $this->taskLinkModel->create($task_id, $opposite_task_id, $link_id);
    }

@ -67,6 +76,15 @@ class TaskLinkProcedure extends BaseProcedure
    public function updateTaskLink($task_link_id, $task_id, $opposite_task_id, $link_id)
    {
        TaskAuthorization::getInstance($this->container)->check($this->getClassName(), 'updateTaskLink', $task_id);
+
+        if ($this->userSession->isLogged()) {
+            $opposite_task = $this->taskFinderModel->getById($opposite_task_id);
+
+            if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) {
+                return false;
+            }
+        }
+
        return $this->taskLinkModel->update($task_link_id, $task_id, $opposite_task_id, $link_id);
    }

--- a/app/Controller/TaskInternalLinkController.php
+++ b/app/Controller/TaskInternalLinkController.php
@ -2,6 +2,7 @@

 namespace Kanboard\Controller;

+use Kanboard\Core\Controller\AccessForbiddenException;
 use Kanboard\Core\Controller\PageNotFoundException;

 /**
@ -53,6 +54,12 @@ class TaskInternalLinkController extends BaseController
        list($valid, $errors) = $this->taskLinkValidator->validateCreation($values);

        if ($valid) {
+            $opposite_task = $this->taskFinderModel->getById($values['opposite_task_id']);
+
+            if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) {
+                throw new AccessForbiddenException();
+            }
+
            if ($this->taskLinkModel->create($values['task_id'], $values['opposite_task_id'], $values['link_id']) !== false) {
                $this->flash->success(t('Link added successfully.'));

@ -121,6 +128,12 @@ class TaskInternalLinkController extends BaseController
        list($valid, $errors) = $this->taskLinkValidator->validateModification($values);

        if ($valid) {
+            $opposite_task = $this->taskFinderModel->getById($values['opposite_task_id']);
+
+            if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) {
+                throw new AccessForbiddenException();
+            }
+
            if ($this->taskLinkModel->update($values['id'], $values['task_id'], $values['opposite_task_id'], $values['link_id'])) {
                $this->flash->success(t('Link updated successfully.'));
                return $this->response->redirect($this->helper->url->to('TaskViewController', 'show', array('task_id' => $task['id'])).'#links');