[SECURITY] Fix invalid access control check in WallPresenter::renderPin

2024-11-11 01:19:53 +03:00 · 2021-09-20 16:46:55 +03:00 · 2021-09-20 16:46:55 +03:00 · 83b88dfee3
commit 83b88dfee3
parent b61cf7fb9d
4 changed files with 15 additions and 8 deletions
--- a/Web/Models/Entities/Post.php
+++ b/Web/Models/Entities/Post.php
@ -99,14 +99,17 @@ class Post extends Postable
        $this->save();
    }
    
-    function canBeDeletedBy(User $user): bool
+    function canBePinnedBy(User $user): bool
    {
        if($this->getTargetWall() < 0)
-            $cDel = (new Clubs)->get(abs($this->getTargetWall()))->canBeModifiedBy($user);
-        else
-            $cDel = $this->getTargetWall() === $user->getId();
+            return (new Clubs)->get(abs($this->getTargetWall()))->canBeModifiedBy($user);
        
-        return $this->getOwnerPost() === $user->getId() || $cDel;
+        return $this->getTargetWall() === $user->getId();
+    }
+    
+    function canBeDeletedBy(User $user): bool
+    {
+        return $this->getOwnerPost() === $user->getId() || $this->canBePinnedBy($user);
    }
    
    function setContent(string $content): void
--- a/Web/Presenters/WallPresenter.php
+++ b/Web/Presenters/WallPresenter.php
@ -348,7 +348,7 @@ final class WallPresenter extends OpenVKPresenter
        if(!$post)
            $this->notFound();
        
-        if(!$post->canBeDeletedBy($this->user->identity))
+        if(!$post->canBePinnedBy($this->user->identity))
            $this->flashFail("err", "Ошибка доступа", "Вам нельзя закреплять этот пост.");
        
        if(($this->queryParam("act") ?? "pin") === "pin") {
--- a/Web/Presenters/templates/components/post/microblogpost.xml
+++ b/Web/Presenters/templates/components/post/microblogpost.xml
@ -29,7 +29,9 @@
                    {/ifset}
                    {if $post->canBeDeletedBy($thisUser) && !($forceNoDeleteLink ?? false) && !isset($compact)}
                        <a class="delete" href="/wall{$post->getPrettyId()}/delete"></a>
+                    {/if}
                    
+                    {if $post->canBePinnedBy($thisUser) && !($forceNoPinLink ?? false) && !isset($compact)}
                        {if $post->isPinned()}
                            <a class="delete" href="/wall{$post->getPrettyId()}/pin?act=unpin&hash={rawurlencode($csrfToken)}"></a>
                        {else}
--- a/Web/Presenters/templates/components/post/oldpost.xml
+++ b/Web/Presenters/templates/components/post/oldpost.xml
@ -70,7 +70,9 @@
                <div n:if="isset($thisUser) &&! ($compact ?? false)" class="post-menu">
                    {if $post->canBeDeletedBy($thisUser) && !($forceNoDeleteLink ?? false)}
                        <a href="/wall{$post->getPrettyId()}/delete">{_"delete"}</a>&nbsp;|&nbsp;
+                    {/if}
                    
+                    {if $post->canBePinnedBy($thisUser) && !($forceNoPinLink ?? false)}
                        {if $post->isPinned()}
                            <a href="/wall{$post->getPrettyId()}/pin?act=unpin&hash={rawurlencode($csrfToken)}">{_unpin}</a>&nbsp;|&nbsp;
                        {else}