Lanmikeman/openvk
Lanmikeman/openvk
1
1
Fork 0
mirror of https://github.com/openvk/openvk synced 2024-09-21 08:36:17 +03:00
Code Issues Projects Releases Packages Wiki Activity

[SECURITY] Fix invalid access control check in WallPresenter::renderPin

Browse source
This commit is contained in:
Celestora 2021-09-20 16:46:55 +03:00
parent b61cf7fb9d
commit 83b88dfee3
4 changed files with 15 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
Web/Models/Entities/Post.php
View file

@ -99,14 +99,17 @@ class Post extends Postable
$this->save(); $this->save();
} }
function canBeDeletedBy(User $user): bool function canBePinnedBy(User $user): bool
{ {
if($this->getTargetWall() < 0) if($this->getTargetWall() < 0)
$cDel = (new Clubs)->get(abs($this->getTargetWall()))->canBeModifiedBy($user); return (new Clubs)->get(abs($this->getTargetWall()))->canBeModifiedBy($user);
else
$cDel = $this->getTargetWall() === $user->getId();
return $this->getOwnerPost() === $user->getId() || $cDel; return $this->getTargetWall() === $user->getId();
}
function canBeDeletedBy(User $user): bool
{
return $this->getOwnerPost() === $user->getId() || $this->canBePinnedBy($user);
} }
function setContent(string $content): void function setContent(string $content): void

2
Web/Presenters/WallPresenter.php
View file

@ -348,7 +348,7 @@ final class WallPresenter extends OpenVKPresenter
if(!$post) if(!$post)
$this->notFound(); $this->notFound();
if(!$post->canBeDeletedBy($this->user->identity)) if(!$post->canBePinnedBy($this->user->identity))
$this->flashFail("err", "Ошибка доступа", "Вам нельзя закреплять этот пост."); $this->flashFail("err", "Ошибка доступа", "Вам нельзя закреплять этот пост.");
if(($this->queryParam("act") ?? "pin") === "pin") { if(($this->queryParam("act") ?? "pin") === "pin") {

4
Web/Presenters/templates/components/post/microblogpost.xml
View file

@ -29,7 +29,9 @@
{/ifset} {/ifset}
{if $post->canBeDeletedBy($thisUser) && !($forceNoDeleteLink ?? false) && !isset($compact)} {if $post->canBeDeletedBy($thisUser) && !($forceNoDeleteLink ?? false) && !isset($compact)}
<a class="delete" href="/wall{$post->getPrettyId()}/delete"></a> <a class="delete" href="/wall{$post->getPrettyId()}/delete"></a>
{/if}
{if $post->canBePinnedBy($thisUser) && !($forceNoPinLink ?? false) && !isset($compact)}
{if $post->isPinned()} {if $post->isPinned()}
<a class="delete" href="/wall{$post->getPrettyId()}/pin?act=unpin&hash={rawurlencode($csrfToken)}"></a> <a class="delete" href="/wall{$post->getPrettyId()}/pin?act=unpin&hash={rawurlencode($csrfToken)}"></a>
{else} {else}

4
Web/Presenters/templates/components/post/oldpost.xml
View file

@ -70,7 +70,9 @@
<div n:if="isset($thisUser) &&! ($compact ?? false)" class="post-menu"> <div n:if="isset($thisUser) &&! ($compact ?? false)" class="post-menu">
{if $post->canBeDeletedBy($thisUser) && !($forceNoDeleteLink ?? false)} {if $post->canBeDeletedBy($thisUser) && !($forceNoDeleteLink ?? false)}
<a href="/wall{$post->getPrettyId()}/delete">{_"delete"}</a>&nbsp;|&nbsp; <a href="/wall{$post->getPrettyId()}/delete">{_"delete"}</a>&nbsp;|&nbsp;
{/if}
{if $post->canBePinnedBy($thisUser) && !($forceNoPinLink ?? false)}
{if $post->isPinned()} {if $post->isPinned()}
<a href="/wall{$post->getPrettyId()}/pin?act=unpin&hash={rawurlencode($csrfToken)}">{_unpin}</a>&nbsp;|&nbsp; <a href="/wall{$post->getPrettyId()}/pin?act=unpin&hash={rawurlencode($csrfToken)}">{_unpin}</a>&nbsp;|&nbsp;
{else} {else}