mirror of
https://github.com/openvk/openvk
synced 2024-12-23 17:12:01 +03:00
[SECURITY] Fix invalid access control check in WallPresenter::renderPin
This commit is contained in:
parent
b61cf7fb9d
commit
83b88dfee3
4 changed files with 15 additions and 8 deletions
|
@ -99,14 +99,17 @@ class Post extends Postable
|
||||||
$this->save();
|
$this->save();
|
||||||
}
|
}
|
||||||
|
|
||||||
function canBeDeletedBy(User $user): bool
|
function canBePinnedBy(User $user): bool
|
||||||
{
|
{
|
||||||
if($this->getTargetWall() < 0)
|
if($this->getTargetWall() < 0)
|
||||||
$cDel = (new Clubs)->get(abs($this->getTargetWall()))->canBeModifiedBy($user);
|
return (new Clubs)->get(abs($this->getTargetWall()))->canBeModifiedBy($user);
|
||||||
else
|
|
||||||
$cDel = $this->getTargetWall() === $user->getId();
|
|
||||||
|
|
||||||
return $this->getOwnerPost() === $user->getId() || $cDel;
|
return $this->getTargetWall() === $user->getId();
|
||||||
|
}
|
||||||
|
|
||||||
|
function canBeDeletedBy(User $user): bool
|
||||||
|
{
|
||||||
|
return $this->getOwnerPost() === $user->getId() || $this->canBePinnedBy($user);
|
||||||
}
|
}
|
||||||
|
|
||||||
function setContent(string $content): void
|
function setContent(string $content): void
|
||||||
|
|
|
@ -348,7 +348,7 @@ final class WallPresenter extends OpenVKPresenter
|
||||||
if(!$post)
|
if(!$post)
|
||||||
$this->notFound();
|
$this->notFound();
|
||||||
|
|
||||||
if(!$post->canBeDeletedBy($this->user->identity))
|
if(!$post->canBePinnedBy($this->user->identity))
|
||||||
$this->flashFail("err", "Ошибка доступа", "Вам нельзя закреплять этот пост.");
|
$this->flashFail("err", "Ошибка доступа", "Вам нельзя закреплять этот пост.");
|
||||||
|
|
||||||
if(($this->queryParam("act") ?? "pin") === "pin") {
|
if(($this->queryParam("act") ?? "pin") === "pin") {
|
||||||
|
|
|
@ -29,7 +29,9 @@
|
||||||
{/ifset}
|
{/ifset}
|
||||||
{if $post->canBeDeletedBy($thisUser) && !($forceNoDeleteLink ?? false) && !isset($compact)}
|
{if $post->canBeDeletedBy($thisUser) && !($forceNoDeleteLink ?? false) && !isset($compact)}
|
||||||
<a class="delete" href="/wall{$post->getPrettyId()}/delete"></a>
|
<a class="delete" href="/wall{$post->getPrettyId()}/delete"></a>
|
||||||
|
{/if}
|
||||||
|
|
||||||
|
{if $post->canBePinnedBy($thisUser) && !($forceNoPinLink ?? false) && !isset($compact)}
|
||||||
{if $post->isPinned()}
|
{if $post->isPinned()}
|
||||||
<a class="delete" href="/wall{$post->getPrettyId()}/pin?act=unpin&hash={rawurlencode($csrfToken)}"></a>
|
<a class="delete" href="/wall{$post->getPrettyId()}/pin?act=unpin&hash={rawurlencode($csrfToken)}"></a>
|
||||||
{else}
|
{else}
|
||||||
|
|
|
@ -70,7 +70,9 @@
|
||||||
<div n:if="isset($thisUser) &&! ($compact ?? false)" class="post-menu">
|
<div n:if="isset($thisUser) &&! ($compact ?? false)" class="post-menu">
|
||||||
{if $post->canBeDeletedBy($thisUser) && !($forceNoDeleteLink ?? false)}
|
{if $post->canBeDeletedBy($thisUser) && !($forceNoDeleteLink ?? false)}
|
||||||
<a href="/wall{$post->getPrettyId()}/delete">{_"delete"}</a> |
|
<a href="/wall{$post->getPrettyId()}/delete">{_"delete"}</a> |
|
||||||
|
{/if}
|
||||||
|
|
||||||
|
{if $post->canBePinnedBy($thisUser) && !($forceNoPinLink ?? false)}
|
||||||
{if $post->isPinned()}
|
{if $post->isPinned()}
|
||||||
<a href="/wall{$post->getPrettyId()}/pin?act=unpin&hash={rawurlencode($csrfToken)}">{_unpin}</a> |
|
<a href="/wall{$post->getPrettyId()}/pin?act=unpin&hash={rawurlencode($csrfToken)}">{_unpin}</a> |
|
||||||
{else}
|
{else}
|
||||||
|
|
Loading…
Reference in a new issue