From 777b20db7204624b6f531f2beec18f97fe357616 Mon Sep 17 00:00:00 2001 From: Ng Heng Lim Date: Sun, 20 Oct 2013 18:39:27 +0800 Subject: [PATCH 1/2] Update Notification.php added isOwnedBy function(which may be included in parent AppModel) --- Model/Notification.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Model/Notification.php b/Model/Notification.php index 6cf5e8c..cd63709 100644 --- a/Model/Notification.php +++ b/Model/Notification.php @@ -3,7 +3,9 @@ App::uses('NotificationsAppModel', 'Notifications.Model'); class Notification extends NotificationsAppModel { - + public function isOwnedBy($id, $user) { + return $this->field('id', array('id' => $id, 'user_id' => $user)) === $id; + } public $virtualFields = array( 'name' => 'message' ); From 5e879e588534fd05436ece3bea8142e626470638 Mon Sep 17 00:00:00 2001 From: Ng Heng Lim Date: Sun, 20 Oct 2013 18:40:46 +0800 Subject: [PATCH 2/2] Update NotificationsController.php Fixed Security problem that visitor can delete particular notification. --- Controller/NotificationsController.php | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Controller/NotificationsController.php b/Controller/NotificationsController.php index 4a7c16e..777360e 100644 --- a/Controller/NotificationsController.php +++ b/Controller/NotificationsController.php @@ -114,5 +114,19 @@ public function getlist($userId = null, $limit = 10) { $this->set('result', null); } } + public function isAuthorized($user) { + if (in_array($this->action, array('index','getlist','getcount'))) { + return true; + } + // The owner of notification delete or read it + if (in_array($this->action, array('delete','read'))) { + $notiId = $this->request->params['pass'][0]; + if ($this->Notification->isOwnedBy($notiId, $user['id'])) { + return true; + } + } + + return parent::isAuthorized($user); + } }