AS1024/Kanboard-Prod
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add missing permission check when creating/updating internal links

Browse Source
This commit is contained in:
Frédéric Guillot
2023-05-29 19:39:28 -07:00
committed by Frédéric Guillot
parent 05f1d23d82
commit b501ef44bc
2 changed files with 31 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
app/Api/Procedure/TaskLinkProcedure.php
View File

@@ -51,6 +51,15 @@ class TaskLinkProcedure extends BaseProcedure
public function createTaskLink($task_id, $opposite_task_id, $link_id)
{
TaskAuthorization::getInstance($this->container)->check($this->getClassName(), 'createTaskLink', $task_id);
if ($this->userSession->isLogged()) {
$opposite_task = $this->taskFinderModel->getById($opposite_task_id);
if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) {
return false;
}
}
return $this->taskLinkModel->create($task_id, $opposite_task_id, $link_id);
}
@@ -67,6 +76,15 @@ class TaskLinkProcedure extends BaseProcedure
public function updateTaskLink($task_link_id, $task_id, $opposite_task_id, $link_id)
{
TaskAuthorization::getInstance($this->container)->check($this->getClassName(), 'updateTaskLink', $task_id);
if ($this->userSession->isLogged()) {
$opposite_task = $this->taskFinderModel->getById($opposite_task_id);
if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) {
return false;
}
}
return $this->taskLinkModel->update($task_link_id, $task_id, $opposite_task_id, $link_id);
}