From 4f605ea4dd2cf05b59e8c3514b5f4c6dfc4a7a6b Mon Sep 17 00:00:00 2001
From: Pierre <pierre@hubert.fr>
Date: Mon, 25 Dec 2017 09:20:22 +0100
Subject: [PATCH] Improved conversation controller security checks

---
 RestControllers/conversationsController.php | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/RestControllers/conversationsController.php b/RestControllers/conversationsController.php
index d5cf767..a265cda 100644
--- a/RestControllers/conversationsController.php
+++ b/RestControllers/conversationsController.php
@@ -165,21 +165,15 @@ class conversationsController{
 	public function findPrivate(){
 
 		user_login_required();
-
-		//Check for parametres
-		if(!isset($_POST['otherUser']))
-			Rest_fatal_error(400, "Please check your parametres !");
 		
 		//Extract parametres
-		$otherUser = toInt($_POST['otherUser']);
+		$otherUser = getPostUserID('otherUser');
+
+		//Check if we are allowed to create a conversation or not
 		if(isset($_POST["allowCreate"]))
 			$allowCreate = $_POST["allowCreate"] == "true" ? true : false;
 		else
 			$allowCreate = false;
-		
-		//Check the user exists
-		if(!CS::get()->components->user->exists($otherUser))
-			Rest_fatal_error(400, "Specified user does not exist !");
 
 		//Search the database
 		$results = CS::get()->components->conversations->findPrivate(userID, $otherUser);