Mibew/mibew
1
0
Fork 0
mirror of https://github.com/Mibew/mibew.git synced 2025-02-07 08:14:42 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Prevent unauthorized access to chat history

Browse Source
This commit is contained in:
Fedor A. Fetisov 2017-07-06 16:00:06 +03:00
parent 38e53aaa6a
commit a617eebeec
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/mibew/libs/classes/Mibew/Controller/Chat/MailController.php
View File

@ -50,9 +50,13 @@ class MailController extends AbstractController
$thread_id = $request->attributes->get('thread_id'); $thread_id = $request->attributes->get('thread_id');
$token = $request->attributes->get('token'); $token = $request->attributes->get('token');
// We have to check that the thread is owned by the user.
$is_own_thread = isset($_SESSION[SESSION_PREFIX . 'own_threads'])
&& in_array($thread_id, $_SESSION[SESSION_PREFIX . 'own_threads']);
// Try to load the thread // Try to load the thread
$thread = Thread::load($thread_id, $token); $thread = Thread::load($thread_id, $token);
if (!$thread) { if (!$thread || !$is_own_thread) {
throw new NotFoundException('The thread is not found.'); throw new NotFoundException('The thread is not found.');
} }
@ -86,9 +90,13 @@ class MailController extends AbstractController
$thread_id = $request->attributes->get('thread_id'); $thread_id = $request->attributes->get('thread_id');
$token = $request->attributes->get('token'); $token = $request->attributes->get('token');
// We have to check that the thread is owned by the user.
$is_own_thread = isset($_SESSION[SESSION_PREFIX . 'own_threads'])
&& in_array($thread_id, $_SESSION[SESSION_PREFIX . 'own_threads']);
// Try to load the thread // Try to load the thread
$thread = Thread::load($thread_id, $token); $thread = Thread::load($thread_id, $token);
if (!$thread) { if (!$thread || !$is_own_thread) {
throw new NotFoundException('The thread is not found.'); throw new NotFoundException('The thread is not found.');
} }