From b501ef44bc28ee9cf603a4fa446ee121d66f652f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <fred@kanboard.net>
Date: Mon, 29 May 2023 19:39:28 -0700
Subject: [PATCH] Add missing permission check when creating/updating internal
 links

---
 app/Api/Procedure/TaskLinkProcedure.php       | 18 ++++++++++++++++++
 app/Controller/TaskInternalLinkController.php | 13 +++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/app/Api/Procedure/TaskLinkProcedure.php b/app/Api/Procedure/TaskLinkProcedure.php
index 375266fb3..e794f2bbd 100644
--- a/app/Api/Procedure/TaskLinkProcedure.php
+++ b/app/Api/Procedure/TaskLinkProcedure.php
@@ -51,6 +51,15 @@ class TaskLinkProcedure extends BaseProcedure
     public function createTaskLink($task_id, $opposite_task_id, $link_id)
     {
         TaskAuthorization::getInstance($this->container)->check($this->getClassName(), 'createTaskLink', $task_id);
+
+        if ($this->userSession->isLogged()) {
+            $opposite_task = $this->taskFinderModel->getById($opposite_task_id);
+
+            if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) {
+                return false;
+            }
+        }
+
         return $this->taskLinkModel->create($task_id, $opposite_task_id, $link_id);
     }
 
@@ -67,6 +76,15 @@ class TaskLinkProcedure extends BaseProcedure
     public function updateTaskLink($task_link_id, $task_id, $opposite_task_id, $link_id)
     {
         TaskAuthorization::getInstance($this->container)->check($this->getClassName(), 'updateTaskLink', $task_id);
+
+        if ($this->userSession->isLogged()) {
+            $opposite_task = $this->taskFinderModel->getById($opposite_task_id);
+
+            if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) {
+                return false;
+            }
+        }
+
         return $this->taskLinkModel->update($task_link_id, $task_id, $opposite_task_id, $link_id);
     }
 
diff --git a/app/Controller/TaskInternalLinkController.php b/app/Controller/TaskInternalLinkController.php
index 7ab01374a..5f80a28bd 100644
--- a/app/Controller/TaskInternalLinkController.php
+++ b/app/Controller/TaskInternalLinkController.php
@@ -2,6 +2,7 @@
 
 namespace Kanboard\Controller;
 
+use Kanboard\Core\Controller\AccessForbiddenException;
 use Kanboard\Core\Controller\PageNotFoundException;
 
 /**
@@ -53,6 +54,12 @@ class TaskInternalLinkController extends BaseController
         list($valid, $errors) = $this->taskLinkValidator->validateCreation($values);
 
         if ($valid) {
+            $opposite_task = $this->taskFinderModel->getById($values['opposite_task_id']);
+
+            if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) {
+                throw new AccessForbiddenException();
+            }
+
             if ($this->taskLinkModel->create($values['task_id'], $values['opposite_task_id'], $values['link_id']) !== false) {
                 $this->flash->success(t('Link added successfully.'));
 
@@ -121,6 +128,12 @@ class TaskInternalLinkController extends BaseController
         list($valid, $errors) = $this->taskLinkValidator->validateModification($values);
 
         if ($valid) {
+            $opposite_task = $this->taskFinderModel->getById($values['opposite_task_id']);
+
+            if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) {
+                throw new AccessForbiddenException();
+            }
+
             if ($this->taskLinkModel->update($values['id'], $values['task_id'], $values['opposite_task_id'], $values['link_id'])) {
                 $this->flash->success(t('Link updated successfully.'));
                 return $this->response->redirect($this->helper->url->to('TaskViewController', 'show', array('task_id' => $task['id'])).'#links');