Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: [security] Check event ACL before allowing user to send event co…
…ntact form
  • Loading branch information
JakubOnderka committed Jun 30, 2020
1 parent d14ce7d commit b0be3b0
Showing 1 changed file with 6 additions and 4 deletions.
10 changes: 6 additions & 4 deletions app/Controller/EventsController.php
Expand Up @@ -2,6 +2,9 @@
App::uses('AppController', 'Controller');
App::uses('Xml', 'Utility');

/**
* @property Event $Event
*/
class EventsController extends AppController
{
public $components = array(
Expand Down Expand Up @@ -2792,9 +2795,8 @@ public function alert($id = null)
// Users with a GnuPG key will get the mail encrypted, other users will get the mail unencrypted
public function contact($id = null)
{
$id = $this->Toolbox->findIdByUuid($this->Event, $id);
$this->Event->id = $id;
if (!$this->Event->exists()) {
$events = $this->Event->fetchEvent($this->Auth->user(), array('eventid' => $id));
if (empty($events)) {
throw new NotFoundException(__('Invalid event'));
}
// User has filled in his contact form, send out the email.
Expand Down Expand Up @@ -2844,7 +2846,7 @@ public function contact($id = null)
}
// User didn't see the contact form yet. Present it to him.
if (empty($this->data)) {
$this->data = $this->Event->read(null, $id);
$this->data = $events[0];
}
}

Expand Down

0 comments on commit b0be3b0

Please sign in to comment.