AS1024/Kanboard-Prod
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add missing permission check when creating/updating internal links

Browse Source
This commit is contained in:
Frédéric Guillot
2023-05-29 19:39:28 -07:00
committed by Frédéric Guillot
parent 05f1d23d82
commit b501ef44bc
2 changed files with 31 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
app/Controller/TaskInternalLinkController.php
View File

@@ -2,6 +2,7 @@
namespace Kanboard\Controller;
use Kanboard\Core\Controller\AccessForbiddenException;
use Kanboard\Core\Controller\PageNotFoundException;
/**
@@ -53,6 +54,12 @@ class TaskInternalLinkController extends BaseController
list($valid, $errors) = $this->taskLinkValidator->validateCreation($values);
if ($valid) {
$opposite_task = $this->taskFinderModel->getById($values['opposite_task_id']);
if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) {
throw new AccessForbiddenException();
}
if ($this->taskLinkModel->create($values['task_id'], $values['opposite_task_id'], $values['link_id']) !== false) {
$this->flash->success(t('Link added successfully.'));
@@ -121,6 +128,12 @@ class TaskInternalLinkController extends BaseController
list($valid, $errors) = $this->taskLinkValidator->validateModification($values);
if ($valid) {
$opposite_task = $this->taskFinderModel->getById($values['opposite_task_id']);
if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) {
throw new AccessForbiddenException();
}
if ($this->taskLinkModel->update($values['id'], $values['task_id'], $values['opposite_task_id'], $values['link_id'])) {
$this->flash->success(t('Link updated successfully.'));
return $this->response->redirect($this->helper->url->to('TaskViewController', 'show', array('task_id' => $task['id'])).'#links');