mirror of
https://github.com/openvk/openvk
synced 2024-12-23 00:51:03 +03:00
[SECURITY] Fix invalid access control check in WallPresenter::renderPin
This commit is contained in:
parent
b61cf7fb9d
commit
83b88dfee3
4 changed files with 15 additions and 8 deletions
|
@ -99,14 +99,17 @@ class Post extends Postable
|
|||
$this->save();
|
||||
}
|
||||
|
||||
function canBeDeletedBy(User $user): bool
|
||||
function canBePinnedBy(User $user): bool
|
||||
{
|
||||
if($this->getTargetWall() < 0)
|
||||
$cDel = (new Clubs)->get(abs($this->getTargetWall()))->canBeModifiedBy($user);
|
||||
else
|
||||
$cDel = $this->getTargetWall() === $user->getId();
|
||||
return (new Clubs)->get(abs($this->getTargetWall()))->canBeModifiedBy($user);
|
||||
|
||||
return $this->getOwnerPost() === $user->getId() || $cDel;
|
||||
return $this->getTargetWall() === $user->getId();
|
||||
}
|
||||
|
||||
function canBeDeletedBy(User $user): bool
|
||||
{
|
||||
return $this->getOwnerPost() === $user->getId() || $this->canBePinnedBy($user);
|
||||
}
|
||||
|
||||
function setContent(string $content): void
|
||||
|
|
|
@ -348,7 +348,7 @@ final class WallPresenter extends OpenVKPresenter
|
|||
if(!$post)
|
||||
$this->notFound();
|
||||
|
||||
if(!$post->canBeDeletedBy($this->user->identity))
|
||||
if(!$post->canBePinnedBy($this->user->identity))
|
||||
$this->flashFail("err", "Ошибка доступа", "Вам нельзя закреплять этот пост.");
|
||||
|
||||
if(($this->queryParam("act") ?? "pin") === "pin") {
|
||||
|
|
|
@ -29,7 +29,9 @@
|
|||
{/ifset}
|
||||
{if $post->canBeDeletedBy($thisUser) && !($forceNoDeleteLink ?? false) && !isset($compact)}
|
||||
<a class="delete" href="/wall{$post->getPrettyId()}/delete"></a>
|
||||
{/if}
|
||||
|
||||
{if $post->canBePinnedBy($thisUser) && !($forceNoPinLink ?? false) && !isset($compact)}
|
||||
{if $post->isPinned()}
|
||||
<a class="delete" href="/wall{$post->getPrettyId()}/pin?act=unpin&hash={rawurlencode($csrfToken)}"></a>
|
||||
{else}
|
||||
|
|
|
@ -70,7 +70,9 @@
|
|||
<div n:if="isset($thisUser) &&! ($compact ?? false)" class="post-menu">
|
||||
{if $post->canBeDeletedBy($thisUser) && !($forceNoDeleteLink ?? false)}
|
||||
<a href="/wall{$post->getPrettyId()}/delete">{_"delete"}</a> |
|
||||
{/if}
|
||||
|
||||
{if $post->canBePinnedBy($thisUser) && !($forceNoPinLink ?? false)}
|
||||
{if $post->isPinned()}
|
||||
<a href="/wall{$post->getPrettyId()}/pin?act=unpin&hash={rawurlencode($csrfToken)}">{_unpin}</a> |
|
||||
{else}
|
||||
|
|
Loading…
Reference in a new issue