From a617eebeec6735cc324f222d27c881959ce192a4 Mon Sep 17 00:00:00 2001 From: "Fedor A. Fetisov" Date: Thu, 6 Jul 2017 16:00:06 +0300 Subject: [PATCH] Prevent unauthorized access to chat history --- .../classes/Mibew/Controller/Chat/MailController.php | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/mibew/libs/classes/Mibew/Controller/Chat/MailController.php b/src/mibew/libs/classes/Mibew/Controller/Chat/MailController.php index 84c3a936..e0b9f365 100644 --- a/src/mibew/libs/classes/Mibew/Controller/Chat/MailController.php +++ b/src/mibew/libs/classes/Mibew/Controller/Chat/MailController.php @@ -50,9 +50,13 @@ class MailController extends AbstractController $thread_id = $request->attributes->get('thread_id'); $token = $request->attributes->get('token'); + // We have to check that the thread is owned by the user. + $is_own_thread = isset($_SESSION[SESSION_PREFIX . 'own_threads']) + && in_array($thread_id, $_SESSION[SESSION_PREFIX . 'own_threads']); + // Try to load the thread $thread = Thread::load($thread_id, $token); - if (!$thread) { + if (!$thread || !$is_own_thread) { throw new NotFoundException('The thread is not found.'); } @@ -86,9 +90,13 @@ class MailController extends AbstractController $thread_id = $request->attributes->get('thread_id'); $token = $request->attributes->get('token'); + // We have to check that the thread is owned by the user. + $is_own_thread = isset($_SESSION[SESSION_PREFIX . 'own_threads']) + && in_array($thread_id, $_SESSION[SESSION_PREFIX . 'own_threads']); + // Try to load the thread $thread = Thread::load($thread_id, $token); - if (!$thread) { + if (!$thread || !$is_own_thread) { throw new NotFoundException('The thread is not found.'); }