Rights to sent a private message not checked properly #1452

Admidio · Jul 9, 2023 · b0e1beb · b0e1beb
1 parent bfac729
commit b0e1beb
Showing 1 changed file with 18 additions and 6 deletions.
diff --git a/adm_program/modules/messages/messages_send.php b/adm_program/modules/messages/messages_send.php
@@ -143,8 +143,10 @@
 }
 
 // object to handle the current message in the database
+if ($message->isNewRecord()) {
+    $message->setValue('msg_subject', $postSubject);
+}
 $message->setValue('msg_type', $getMsgType);
-$message->setValue('msg_subject', $postSubject);
 $message->setValue('msg_usr_id_sender', $gCurrentUserId);
 $message->addContent($postBody);
 
@@ -351,12 +353,22 @@
         $postTo = array($postTo);
     }
 
-    // get user data from Database
-    $user = new User($gDb, $gProfileFields, $postTo[0]);
+    // check if user is allowed to view message
+    if(!in_array($gCurrentUserId, array($message->getValue('msg_usr_id_sender'), $message->getConversationPartner()))) {
+        $gMessage->show($gL10n->get('SYS_INVALID_PAGE_VIEW'));
+        // => EXIT
+    }
+
+    try {
+        // get user data from Database
+        $user = new User($gDb, $gProfileFields, $postTo[0]);
 
-    // add user to the message object
-    $message->addUser((int) $user->getValue('usr_id'));
-    $message->setValue('msg_read', 1);
+        // add user to the message object
+        $message->addUser((int) $user->getValue('usr_id'));
+        $message->setValue('msg_read', 1);
+    } catch (AdmException $e) {
+        $e->showHtml();
+    }
 
     // check if it is allowed to send to this user
     if ((!$gCurrentUser->editUsers() && !isMember((int) $user->getValue('usr_id'))) || $user->getValue('usr_id') === '') {