Avoid people to alter other projects by changing form data

ChangeLog

@@ -5,6 +5,10 @@ New features:
 
 * Vietnamese translation
 
+Security Issues:
+
+* Avoid people to alter other project resources by changing form data
+
 Version 1.0.46 (August 13, 2017)
 --------------------------------
 

app/Controller/ActionController.php

@@ -46,9 +46,10 @@ public function index()
     public function confirm()
     {
         $project = $this->getProject();
+        $action = $this->getAction($project);
 
         $this->response->html($this->helper->layout->project('action/remove', array(
-            'action' => $this->actionModel->getById($this->request->getIntegerParam('action_id')),
+            'action' => $action,
             'available_events' => $this->eventManager->getAll(),
             'available_actions' => $this->actionManager->getAvailableActions(),
             'project' => $project,
@@ -65,7 +66,7 @@ public function remove()
     {
         $this->checkCSRFParam();
         $project = $this->getProject();
-        $action = $this->actionModel->getById($this->request->getIntegerParam('action_id'));
+        $action = $this->getAction($project);
 
         if (! empty($action) && $this->actionModel->remove($action['id'])) {
             $this->flash->success(t('Action removed successfully.'));

app/Controller/ActionCreationController.php

@@ -35,8 +35,9 @@ public function event()
     {
         $project = $this->getProject();
         $values = $this->request->getValues();
+        $values['project_id'] = $project['id'];
 
-        if (empty($values['action_name']) || empty($values['project_id'])) {
+        if (empty($values['action_name'])) {
             return $this->create();
         }
 
@@ -57,8 +58,9 @@ public function params()
     {
         $project = $this->getProject();
         $values = $this->request->getValues();
+        $values['project_id'] = $project['id'];
 
-        if (empty($values['action_name']) || empty($values['project_id']) || empty($values['event_name'])) {
+        if (empty($values['action_name']) || empty($values['event_name'])) {
             $this->create();
             return;
         }
@@ -109,6 +111,7 @@ public function save()
      */
     private function doCreation(array $project, array $values)
     {
+        $values['project_id'] = $project['id'];
         list($valid, ) = $this->actionValidator->validateCreation($values);
 
         if ($valid) {

app/Controller/BaseController.php

@@ -155,4 +155,94 @@ protected function getSubtask()
 
         return $subtask;
     }
+
+    protected function getColumn(array $project)
+    {
+        $column = $this->columnModel->getById($this->request->getIntegerParam('column_id'));
+
+        if (empty($column)) {
+            throw new PageNotFoundException();
+        }
+
+        if ($column['project_id'] != $project['id']) {
+            throw new AccessForbiddenException();
+        }
+
+        return $column;
+    }
+
+    protected function getSwimlane(array $project)
+    {
+        $swimlane = $this->swimlaneModel->getById($this->request->getIntegerParam('swimlane_id'));
+
+        if (empty($swimlane)) {
+            throw new PageNotFoundException();
+        }
+
+        if ($swimlane['project_id'] != $project['id']) {
+            throw new AccessForbiddenException();
+        }
+
+        return $swimlane;
+    }
+
+    protected function getCategory(array $project)
+    {
+        $category = $this->categoryModel->getById($this->request->getIntegerParam('category_id'));
+
+        if (empty($category)) {
+            throw new PageNotFoundException();
+        }
+
+        if ($category['project_id'] != $project['id']) {
+            throw new AccessForbiddenException();
+        }
+
+        return $category;
+    }
+
+    protected function getProjectTag(array $project)
+    {
+        $tag = $this->tagModel->getById($this->request->getIntegerParam('tag_id'));
+
+        if (empty($tag)) {
+            throw new PageNotFoundException();
+        }
+
+        if ($tag['project_id'] != $project['id']) {
+            throw new AccessForbiddenException();
+        }
+
+        return $tag;
+    }
+
+    protected function getAction(array $project)
+    {
+        $action = $this->actionModel->getById($this->request->getIntegerParam('action_id'));
+
+        if (empty($action)) {
+            throw new PageNotFoundException();
+        }
+
+        if ($action['project_id'] != $project['id']) {
+            throw new AccessForbiddenException();
+        }
+
+        return $action;
+    }
+
+    protected function getCustomFilter(array $project)
+    {
+        $filter = $this->customFilterModel->getById($this->request->getIntegerParam('filter_id'));
+
+        if (empty($filter)) {
+            throw new PageNotFoundException();
+        }
+
+        if ($filter['project_id'] != $project['id']) {
+            throw new AccessForbiddenException();
+        }
+
+        return $filter;
+    }
 }

app/Controller/CategoryController.php

@@ -12,24 +12,6 @@
  */
 class CategoryController extends BaseController
 {
-    /**
-     * Get the category (common method between actions)
-     *
-     * @access private
-     * @return array
-     * @throws PageNotFoundException
-     */
-    private function getCategory()
-    {
-        $category = $this->categoryModel->getById($this->request->getIntegerParam('category_id'));
-
-        if (empty($category)) {
-            throw new PageNotFoundException();
-        }
-
-        return $category;
-    }
-
     /**
      * List of categories for a given project
      *
@@ -72,8 +54,9 @@ public function create(array $values = array(), array $errors = array())
     public function save()
     {
         $project = $this->getProject();
-
         $values = $this->request->getValues();
+        $values['project_id'] = $project['id'];
+
         list($valid, $errors) = $this->categoryValidator->validateCreation($values);
 
         if ($valid) {
@@ -100,7 +83,7 @@ public function save()
     public function edit(array $values = array(), array $errors = array())
     {
         $project = $this->getProject();
-        $category = $this->getCategory();
+        $category = $this->getCategory($project);
 
         $this->response->html($this->template->render('category/edit', array(
             'values'  => empty($values) ? $category : $values,
@@ -117,8 +100,12 @@ public function edit(array $values = array(), array $errors = array())
     public function update()
     {
         $project = $this->getProject();
+        $category = $this->getCategory($project);
 
         $values = $this->request->getValues();
+        $values['project_id'] = $project['id'];
+        $values['id'] = $category['id'];
+
         list($valid, $errors) = $this->categoryValidator->validateModification($values);
 
         if ($valid) {
@@ -141,7 +128,7 @@ public function update()
     public function confirm()
     {
         $project = $this->getProject();
-        $category = $this->getCategory();
+        $category = $this->getCategory($project);
 
         $this->response->html($this->helper->layout->project('category/remove', array(
             'project'  => $project,
@@ -158,7 +145,7 @@ public function remove()
     {
         $this->checkCSRFParam();
         $project = $this->getProject();
-        $category = $this->getCategory();
+        $category = $this->getCategory($project);
 
         if ($this->categoryModel->remove($category['id'])) {
             $this->flash->success(t('Category removed successfully.'));

app/Controller/ColumnController.php

@@ -61,6 +61,7 @@ public function save()
     {
         $project = $this->getProject();
         $values = $this->request->getValues() + array('hide_in_dashboard' => 0);
+        $values['project_id'] = $project['id'];
 
         list($valid, $errors) = $this->columnValidator->validateCreation($values);
 
@@ -95,7 +96,7 @@ public function save()
     public function edit(array $values = array(), array $errors = array())
     {
         $project = $this->getProject();
-        $column = $this->columnModel->getById($this->request->getIntegerParam('column_id'));
+        $column = $this->getColumn($project);
 
         $this->response->html($this->helper->layout->project('column/edit', array(
             'errors' => $errors,
@@ -113,7 +114,11 @@ public function edit(array $values = array(), array $errors = array())
     public function update()
     {
         $project = $this->getProject();
+        $column = $this->getColumn($project);
+
         $values = $this->request->getValues() + array('hide_in_dashboard' => 0);
+        $values['project_id'] = $project['id'];
+        $values['id'] = $column['id'];
 
         list($valid, $errors) = $this->columnValidator->validateModification($values);
 
@@ -164,9 +169,10 @@ public function move()
     public function confirm()
     {
         $project = $this->getProject();
+        $column = $this->getColumn($project);
 
         $this->response->html($this->helper->layout->project('column/remove', array(
-            'column' => $this->columnModel->getById($this->request->getIntegerParam('column_id')),
+            'column' => $column,
             'project' => $project,
         )));
     }
@@ -178,11 +184,11 @@ public function confirm()
      */
     public function remove()
     {
-        $project = $this->getProject();
         $this->checkCSRFParam();
-        $column_id = $this->request->getIntegerParam('column_id');
+        $project = $this->getProject();
+        $column = $this->getColumn($project);
 
-        if ($this->columnModel->remove($column_id)) {
+        if ($this->columnModel->remove($column['id'])) {
             $this->flash->success(t('Column removed successfully.'));
         } else {
             $this->flash->failure(t('Unable to remove this column.'));

app/Controller/CustomFilterController.php

@@ -59,6 +59,7 @@ public function save()
         $project = $this->getProject();
 
         $values = $this->request->getValues();
+        $values['project_id'] = $project['id'];
         $values['user_id'] = $this->userSession->getId();
 
         list($valid, $errors) = $this->customFilterValidator->validateCreation($values);
@@ -84,7 +85,7 @@ public function save()
     public function confirm()
     {
         $project = $this->getProject();
-        $filter = $this->customFilterModel->getById($this->request->getIntegerParam('filter_id'));
+        $filter = $this->getCustomFilter($project);
 
         $this->response->html($this->helper->layout->project('custom_filter/remove', array(
             'project' => $project,
@@ -102,7 +103,7 @@ public function remove()
     {
         $this->checkCSRFParam();
         $project = $this->getProject();
-        $filter = $this->customFilterModel->getById($this->request->getIntegerParam('filter_id'));
+        $filter = $this->getCustomFilter($project);
 
         $this->checkPermission($project, $filter);
 
@@ -153,6 +154,8 @@ public function update()
         $this->checkPermission($project, $filter);
 
         $values = $this->request->getValues();
+        $values['id'] = $filter['id'];
+        $values['project_id'] = $project['id'];
 
         if (! isset($values['is_shared'])) {
             $values += array('is_shared' => 0);

app/Controller/ProjectEditController.php

@@ -65,6 +65,8 @@ public function update()
      */
     private function prepareValues(array $project, array $values)
     {
+        $values['id'] = $project['id'];
+
         if (isset($values['is_private'])) {
             if (! $this->helper->user->hasProjectAccess('ProjectCreationController', 'create', $project['id'])) {
                 unset($values['is_private']);