Skip to content
Permalink
Browse files Browse the repository at this point in the history
Make sure people do not access to files of other projects
  • Loading branch information
fguillot committed Sep 28, 2017
1 parent ac795d9 commit 7100f6d
Showing 1 changed file with 9 additions and 2 deletions.
11 changes: 9 additions & 2 deletions app/Controller/BaseController.php
Expand Up @@ -74,13 +74,14 @@ protected function getFile()
{
$task_id = $this->request->getIntegerParam('task_id');
$file_id = $this->request->getIntegerParam('file_id');
$project_id = $this->request->getIntegerParam('project_id');
$model = 'projectFileModel';

if ($task_id > 0) {
$model = 'taskFileModel';
$project_id = $this->taskFinderModel->getProjectId($task_id);
$task_project_id = $this->taskFinderModel->getProjectId($task_id);

if ($project_id !== $this->request->getIntegerParam('project_id')) {
if ($project_id != $task_project_id) {
throw new AccessForbiddenException();
}
}
Expand All @@ -91,6 +92,12 @@ protected function getFile()
throw new PageNotFoundException();
}

if (isset($file['task_id']) && $file['task_id'] != $task_id) {
throw new AccessForbiddenException();
} else if (isset($file['project_id']) && $file['project_id'] != $project_id) {
throw new AccessForbiddenException();
}

$file['model'] = $model;
return $file;
}
Expand Down

0 comments on commit 7100f6d

Please sign in to comment.