From 83b88dfee34250e6818df3768ef3cfa198db5b07 Mon Sep 17 00:00:00 2001 From: Celestora Date: Mon, 20 Sep 2021 16:46:55 +0300 Subject: [PATCH] [SECURITY] Fix invalid access control check in WallPresenter::renderPin --- Web/Models/Entities/Post.php | 13 ++++++++----- Web/Presenters/WallPresenter.php | 2 +- .../templates/components/post/microblogpost.xml | 4 +++- .../templates/components/post/oldpost.xml | 4 +++- 4 files changed, 15 insertions(+), 8 deletions(-) diff --git a/Web/Models/Entities/Post.php b/Web/Models/Entities/Post.php index fd15c8c0..fe6a3078 100644 --- a/Web/Models/Entities/Post.php +++ b/Web/Models/Entities/Post.php @@ -99,14 +99,17 @@ class Post extends Postable $this->save(); } - function canBeDeletedBy(User $user): bool + function canBePinnedBy(User $user): bool { if($this->getTargetWall() < 0) - $cDel = (new Clubs)->get(abs($this->getTargetWall()))->canBeModifiedBy($user); - else - $cDel = $this->getTargetWall() === $user->getId(); + return (new Clubs)->get(abs($this->getTargetWall()))->canBeModifiedBy($user); - return $this->getOwnerPost() === $user->getId() || $cDel; + return $this->getTargetWall() === $user->getId(); + } + + function canBeDeletedBy(User $user): bool + { + return $this->getOwnerPost() === $user->getId() || $this->canBePinnedBy($user); } function setContent(string $content): void diff --git a/Web/Presenters/WallPresenter.php b/Web/Presenters/WallPresenter.php index e500a25d..eb2d0051 100644 --- a/Web/Presenters/WallPresenter.php +++ b/Web/Presenters/WallPresenter.php @@ -348,7 +348,7 @@ final class WallPresenter extends OpenVKPresenter if(!$post) $this->notFound(); - if(!$post->canBeDeletedBy($this->user->identity)) + if(!$post->canBePinnedBy($this->user->identity)) $this->flashFail("err", "Ошибка доступа", "Вам нельзя закреплять этот пост."); if(($this->queryParam("act") ?? "pin") === "pin") { diff --git a/Web/Presenters/templates/components/post/microblogpost.xml b/Web/Presenters/templates/components/post/microblogpost.xml index 43849a99..60cf8ce2 100644 --- a/Web/Presenters/templates/components/post/microblogpost.xml +++ b/Web/Presenters/templates/components/post/microblogpost.xml @@ -29,7 +29,9 @@ {/ifset} {if $post->canBeDeletedBy($thisUser) && !($forceNoDeleteLink ?? false) && !isset($compact)} - + {/if} + + {if $post->canBePinnedBy($thisUser) && !($forceNoPinLink ?? false) && !isset($compact)} {if $post->isPinned()} {else} diff --git a/Web/Presenters/templates/components/post/oldpost.xml b/Web/Presenters/templates/components/post/oldpost.xml index a8f67f1e..4b46117a 100644 --- a/Web/Presenters/templates/components/post/oldpost.xml +++ b/Web/Presenters/templates/components/post/oldpost.xml @@ -70,7 +70,9 @@
{if $post->canBeDeletedBy($thisUser) && !($forceNoDeleteLink ?? false)} {_"delete"} |  - + {/if} + + {if $post->canBePinnedBy($thisUser) && !($forceNoPinLink ?? false)} {if $post->isPinned()} {_unpin} |  {else}