Mibew/mibew
1
0
Fork 0
mirror of https://github.com/Mibew/mibew.git synced 2025-04-10 09:50:12 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Restrict access to a thread for third-party users

Browse Source 
Fixes #71
This commit is contained in:
Dmitriy Simushev 2014-11-06 10:45:38 +00:00
parent 3f36afc285
commit bffc2fd799
3 changed files with 46 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/mibew/libs/chat.php
View File

@ -736,6 +736,12 @@ function chat_start_for_user(
$_SESSION['threadid'] = $thread->id; $_SESSION['threadid'] = $thread->id;
// Store own thread ids to restrict access for other people
if (!isset($_SESSION['own_threads'])) {
$_SESSION['own_threads'] = array();
}
$_SESSION['own_threads'][] = $thread->id;
// Bind thread to the visitor // Bind thread to the visitor
if (Settings::get('enabletracking')) { if (Settings::get('enabletracking')) {
track_visitor_bind_thread($visitor_id, $thread); track_visitor_bind_thread($visitor_id, $thread);

12
src/mibew/libs/classes/Mibew/Controller/Chat/UserChatController.php
View File

@ -43,8 +43,12 @@ class UserChatController extends AbstractController
$thread_id = $request->attributes->getInt('thread_id'); $thread_id = $request->attributes->getInt('thread_id');
$token = $request->attributes->get('token'); $token = $request->attributes->get('token');
// We have to check that the thread is owned by the user.
$is_own_thread = isset($_SESSION['own_threads'])
&& in_array($thread_id, $_SESSION['own_threads']);
$thread = Thread::load($thread_id, $token); $thread = Thread::load($thread_id, $token);
if (!$thread) { if (!$thread || !$is_own_thread) {
throw new NotFoundException('The thread is not found.'); throw new NotFoundException('The thread is not found.');
} }
@ -257,6 +261,12 @@ class UserChatController extends AbstractController
$thread = Thread::load($invitation_state['threadid']); $thread = Thread::load($invitation_state['threadid']);
// Store own thread ids to restrict access for other people
if (!isset($_SESSION['own_threads'])) {
$_SESSION['own_threads'] = array();
}
$_SESSION['own_threads'][] = $thread->id;
// Prepare page // Prepare page
$page = setup_invitation_view($thread); $page = setup_invitation_view($thread);

29
src/mibew/libs/classes/Mibew/RequestProcessor/ThreadProcessor.php
View File

@ -22,6 +22,7 @@ namespace Mibew\RequestProcessor;
// Import namespaces and classes of the core // Import namespaces and classes of the core
use Mibew\Authentication\AuthenticationManagerAwareInterface; use Mibew\Authentication\AuthenticationManagerAwareInterface;
use Mibew\Authentication\AuthenticationManagerInterface; use Mibew\Authentication\AuthenticationManagerInterface;
use Mibew\Http\Exception\AccessDeniedException;
use Mibew\Settings; use Mibew\Settings;
use Mibew\Thread; use Mibew\Thread;
use Mibew\API\API as MibewAPI; use Mibew\API\API as MibewAPI;
@ -274,6 +275,34 @@ class ThreadProcessor extends ClientSideProcessor implements
} }
} }
/**
* {@inheritdoc}
*/
protected function processFunction($function, \Mibew\API\ExecutionContext &$context)
{
// Check if a function can be called. Operators can call anythig, thus
// we should continue validation only for users.
if (!$this->getAuthenticationManager()->getOperator()) {
// A function is called by a user. We need to check that the thread
// is related with the user.
$arguments = $context->getArgumentsList($function);
$thread_id = $arguments['threadid'];
// As defined in Mibew\API\Interaction\ChatInteraction "threadid"
// argument is mandatory, but some function allows it to be null. In
// such cases there is no thread and there is nothing to check.
if (!is_null($thread_id)) {
$is_own_thread = isset($_SESSION['own_threads'])
&& in_array($thread_id, $_SESSION['own_threads']);
if (!$is_own_thread) {
throw new AccessDeniedException();
}
}
}
// The function can be called. Process it.
parent::processFunction($function, $context);
}
/** /**
* Update chat window state. API function * Update chat window state. API function
* *