AS1024/Kanboard-Prod
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add missing permission check when creating/updating internal links

Browse Source
This commit is contained in:
Frédéric Guillot
2023-05-29 19:39:28 -07:00
committed by Frédéric Guillot
parent 05f1d23d82
commit b501ef44bc
2 changed files with 31 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
app/Api/Procedure/TaskLinkProcedure.php
View File

@@ -51,6 +51,15 @@ class TaskLinkProcedure extends BaseProcedure
public function createTaskLink($task_id, $opposite_task_id, $link_id) public function createTaskLink($task_id, $opposite_task_id, $link_id)
{ {
TaskAuthorization::getInstance($this->container)->check($this->getClassName(), 'createTaskLink', $task_id); TaskAuthorization::getInstance($this->container)->check($this->getClassName(), 'createTaskLink', $task_id);
if ($this->userSession->isLogged()) {
$opposite_task = $this->taskFinderModel->getById($opposite_task_id);
if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) {
return false;
}
}
return $this->taskLinkModel->create($task_id, $opposite_task_id, $link_id); return $this->taskLinkModel->create($task_id, $opposite_task_id, $link_id);
} }
@@ -67,6 +76,15 @@ class TaskLinkProcedure extends BaseProcedure
public function updateTaskLink($task_link_id, $task_id, $opposite_task_id, $link_id) public function updateTaskLink($task_link_id, $task_id, $opposite_task_id, $link_id)
{ {
TaskAuthorization::getInstance($this->container)->check($this->getClassName(), 'updateTaskLink', $task_id); TaskAuthorization::getInstance($this->container)->check($this->getClassName(), 'updateTaskLink', $task_id);
if ($this->userSession->isLogged()) {
$opposite_task = $this->taskFinderModel->getById($opposite_task_id);
if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) {
return false;
}
}
return $this->taskLinkModel->update($task_link_id, $task_id, $opposite_task_id, $link_id); return $this->taskLinkModel->update($task_link_id, $task_id, $opposite_task_id, $link_id);
} }

13
app/Controller/TaskInternalLinkController.php
View File

@@ -2,6 +2,7 @@
namespace Kanboard\Controller; namespace Kanboard\Controller;
use Kanboard\Core\Controller\AccessForbiddenException;
use Kanboard\Core\Controller\PageNotFoundException; use Kanboard\Core\Controller\PageNotFoundException;
/** /**
@@ -53,6 +54,12 @@ class TaskInternalLinkController extends BaseController
list($valid, $errors) = $this->taskLinkValidator->validateCreation($values); list($valid, $errors) = $this->taskLinkValidator->validateCreation($values);
if ($valid) { if ($valid) {
$opposite_task = $this->taskFinderModel->getById($values['opposite_task_id']);
if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) {
throw new AccessForbiddenException();
}
if ($this->taskLinkModel->create($values['task_id'], $values['opposite_task_id'], $values['link_id']) !== false) { if ($this->taskLinkModel->create($values['task_id'], $values['opposite_task_id'], $values['link_id']) !== false) {
$this->flash->success(t('Link added successfully.')); $this->flash->success(t('Link added successfully.'));
@@ -121,6 +128,12 @@ class TaskInternalLinkController extends BaseController
list($valid, $errors) = $this->taskLinkValidator->validateModification($values); list($valid, $errors) = $this->taskLinkValidator->validateModification($values);
if ($valid) { if ($valid) {
$opposite_task = $this->taskFinderModel->getById($values['opposite_task_id']);
if (! $this->projectPermissionModel->isUserAllowed($opposite_task['project_id'], $this->userSession->getId())) {
throw new AccessForbiddenException();
}
if ($this->taskLinkModel->update($values['id'], $values['task_id'], $values['opposite_task_id'], $values['link_id'])) { if ($this->taskLinkModel->update($values['id'], $values['task_id'], $values['opposite_task_id'], $values['link_id'])) {
$this->flash->success(t('Link updated successfully.')); $this->flash->success(t('Link updated successfully.'));
return $this->response->redirect($this->helper->url->to('TaskViewController', 'show', array('task_id' => $task['id'])).'#links'); return $this->response->redirect($this->helper->url->to('TaskViewController', 'show', array('task_id' => $task['id'])).'#links');