mirror of
https://github.com/Mibew/mibew.git
synced 2025-04-04 07:27:06 +03:00
Dmitriy Simushev
parent
3f36afc285
commit
bffc2fd799
@ -736,6 +736,12 @@ function chat_start_for_user(
|
||||
|
||||
$_SESSION['threadid'] = $thread->id;
|
||||
|
||||
// Store own thread ids to restrict access for other people
|
||||
if (!isset($_SESSION['own_threads'])) {
|
||||
$_SESSION['own_threads'] = array();
|
||||
}
|
||||
$_SESSION['own_threads'][] = $thread->id;
|
||||
|
||||
// Bind thread to the visitor
|
||||
if (Settings::get('enabletracking')) {
|
||||
track_visitor_bind_thread($visitor_id, $thread);
|
||||
|
||||
@ -43,8 +43,12 @@ class UserChatController extends AbstractController
|
||||
$thread_id = $request->attributes->getInt('thread_id');
|
||||
$token = $request->attributes->get('token');
|
||||
|
||||
// We have to check that the thread is owned by the user.
|
||||
$is_own_thread = isset($_SESSION['own_threads'])
|
||||
&& in_array($thread_id, $_SESSION['own_threads']);
|
||||
|
||||
$thread = Thread::load($thread_id, $token);
|
||||
if (!$thread) {
|
||||
if (!$thread || !$is_own_thread) {
|
||||
throw new NotFoundException('The thread is not found.');
|
||||
}
|
||||
|
||||
@ -257,6 +261,12 @@ class UserChatController extends AbstractController
|
||||
|
||||
$thread = Thread::load($invitation_state['threadid']);
|
||||
|
||||
// Store own thread ids to restrict access for other people
|
||||
if (!isset($_SESSION['own_threads'])) {
|
||||
$_SESSION['own_threads'] = array();
|
||||
}
|
||||
$_SESSION['own_threads'][] = $thread->id;
|
||||
|
||||
// Prepare page
|
||||
$page = setup_invitation_view($thread);
|
||||
|
||||
|
||||
@ -22,6 +22,7 @@ namespace Mibew\RequestProcessor;
|
||||
// Import namespaces and classes of the core
|
||||
use Mibew\Authentication\AuthenticationManagerAwareInterface;
|
||||
use Mibew\Authentication\AuthenticationManagerInterface;
|
||||
use Mibew\Http\Exception\AccessDeniedException;
|
||||
use Mibew\Settings;
|
||||
use Mibew\Thread;
|
||||
use Mibew\API\API as MibewAPI;
|
||||
@ -274,6 +275,34 @@ class ThreadProcessor extends ClientSideProcessor implements
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* {@inheritdoc}
|
||||
*/
|
||||
protected function processFunction($function, \Mibew\API\ExecutionContext &$context)
|
||||
{
|
||||
// Check if a function can be called. Operators can call anythig, thus
|
||||
// we should continue validation only for users.
|
||||
if (!$this->getAuthenticationManager()->getOperator()) {
|
||||
// A function is called by a user. We need to check that the thread
|
||||
// is related with the user.
|
||||
$arguments = $context->getArgumentsList($function);
|
||||
$thread_id = $arguments['threadid'];
|
||||
// As defined in Mibew\API\Interaction\ChatInteraction "threadid"
|
||||
// argument is mandatory, but some function allows it to be null. In
|
||||
// such cases there is no thread and there is nothing to check.
|
||||
if (!is_null($thread_id)) {
|
||||
$is_own_thread = isset($_SESSION['own_threads'])
|
||||
&& in_array($thread_id, $_SESSION['own_threads']);
|
||||
if (!$is_own_thread) {
|
||||
throw new AccessDeniedException();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// The function can be called. Process it.
|
||||
parent::processFunction($function, $context);
|
||||
}
|
||||
|
||||
/**
|
||||
* Update chat window state. API function
|
||||
*
|
||||
|
||||
Loading…
Reference in New Issue
Block a user