[SECURITY] Fix invalid access control check in WallPresenter::renderPin

This commit is contained in:
Celestora 2021-09-20 16:46:55 +03:00
parent b61cf7fb9d
commit 83b88dfee3
4 changed files with 15 additions and 8 deletions

View file

@ -99,14 +99,17 @@ class Post extends Postable
$this->save();
}
function canBeDeletedBy(User $user): bool
function canBePinnedBy(User $user): bool
{
if($this->getTargetWall() < 0)
$cDel = (new Clubs)->get(abs($this->getTargetWall()))->canBeModifiedBy($user);
else
$cDel = $this->getTargetWall() === $user->getId();
return (new Clubs)->get(abs($this->getTargetWall()))->canBeModifiedBy($user);
return $this->getOwnerPost() === $user->getId() || $cDel;
return $this->getTargetWall() === $user->getId();
}
function canBeDeletedBy(User $user): bool
{
return $this->getOwnerPost() === $user->getId() || $this->canBePinnedBy($user);
}
function setContent(string $content): void

View file

@ -348,7 +348,7 @@ final class WallPresenter extends OpenVKPresenter
if(!$post)
$this->notFound();
if(!$post->canBeDeletedBy($this->user->identity))
if(!$post->canBePinnedBy($this->user->identity))
$this->flashFail("err", "Ошибка доступа", "Вам нельзя закреплять этот пост.");
if(($this->queryParam("act") ?? "pin") === "pin") {

View file

@ -29,7 +29,9 @@
{/ifset}
{if $post->canBeDeletedBy($thisUser) && !($forceNoDeleteLink ?? false) && !isset($compact)}
<a class="delete" href="/wall{$post->getPrettyId()}/delete"></a>
{/if}
{if $post->canBePinnedBy($thisUser) && !($forceNoPinLink ?? false) && !isset($compact)}
{if $post->isPinned()}
<a class="delete" href="/wall{$post->getPrettyId()}/pin?act=unpin&hash={rawurlencode($csrfToken)}"></a>
{else}

View file

@ -70,7 +70,9 @@
<div n:if="isset($thisUser) &&! ($compact ?? false)" class="post-menu">
{if $post->canBeDeletedBy($thisUser) && !($forceNoDeleteLink ?? false)}
<a href="/wall{$post->getPrettyId()}/delete">{_"delete"}</a>&nbsp;|&nbsp;
{/if}
{if $post->canBePinnedBy($thisUser) && !($forceNoPinLink ?? false)}
{if $post->isPinned()}
<a href="/wall{$post->getPrettyId()}/pin?act=unpin&hash={rawurlencode($csrfToken)}">{_unpin}</a>&nbsp;|&nbsp;
{else}