From ccd951265db1ff37564e3b5e03dd6929c2fa75ba Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 11 Nov 2025 03:08:58 +0000 Subject: [PATCH 1/2] Initial plan From 9194a3954d9f98ff4f88906c0e667ac6f86c91a5 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 11 Nov 2025 03:12:12 +0000 Subject: [PATCH 2/2] Fix authorization checks to compare IDs instead of object with string Co-authored-by: ljonesfl <1099983+ljonesfl@users.noreply.github.com> --- src/Cms/Controllers/Admin/PostController.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/Cms/Controllers/Admin/PostController.php b/src/Cms/Controllers/Admin/PostController.php index 17383e3..b23aa4f 100644 --- a/src/Cms/Controllers/Admin/PostController.php +++ b/src/Cms/Controllers/Admin/PostController.php @@ -241,7 +241,7 @@ public function edit( array $parameters ): string } // Check permissions - if( !$user->isAdmin() && !$user->isEditor() && $post->getAuthor() !== $user->getUsername() ) + if( !$user->isAdmin() && !$user->isEditor() && $post->getAuthorId() !== $user->getId() ) { throw new \RuntimeException( 'Unauthorized to edit this post' ); } @@ -298,7 +298,7 @@ public function update( array $parameters ): string } // Check permissions - if( !$user->isAdmin() && !$user->isEditor() && $post->getAuthor() !== $user->getUsername() ) + if( !$user->isAdmin() && !$user->isEditor() && $post->getAuthorId() !== $user->getId() ) { throw new \RuntimeException( 'Unauthorized to edit this post' ); } @@ -367,7 +367,7 @@ public function destroy( array $parameters ): string } // Check permissions - if( !$user->isAdmin() && !$user->isEditor() && $post->getAuthor() !== $user->getUsername() ) + if( !$user->isAdmin() && !$user->isEditor() && $post->getAuthorId() !== $user->getId() ) { $sessionManager->flash( 'error', 'Unauthorized to delete this post' ); header( 'Location: /admin/posts' );