mirror of
https://github.com/pierre42100/ComunicAPI
synced 2024-12-28 06:28:58 +00:00
Uprageded the security of the conversations controller
This commit is contained in:
parent
a7eb02aa06
commit
a351e9ff13
@ -40,7 +40,7 @@ class ConversationsController{
|
||||
user_login_required();
|
||||
|
||||
//Get conversation ID
|
||||
$conversationID = getPostConversationID("conversationID");
|
||||
$conversationID = $this->getSafePostConversationID("conversationID");
|
||||
|
||||
//Try to get informations about the conversation
|
||||
$conversationsList = CS::get()->components->conversations->getList(userID, $conversationID);
|
||||
@ -111,14 +111,8 @@ class ConversationsController{
|
||||
public function updateSettings(){
|
||||
user_login_required();
|
||||
|
||||
//Check conversation ID was specified
|
||||
if(!isset($_POST["conversationID"]))
|
||||
Rest_fatal_error(400, "Please specify a conversation ID !");
|
||||
$conversationID = toInt($_POST["conversationID"]);
|
||||
|
||||
//Check if the user belongs to the conversation
|
||||
if(!CS::get()->components->conversations->userBelongsTo(userID, $conversationID))
|
||||
Rest_fatal_error("401", "Specified user doesn't belongs to the conversation !");
|
||||
//Get conversationID
|
||||
$conversationID = $this->getSafePostConversationID("conversationID");
|
||||
|
||||
//Check if user want to update its follow state
|
||||
if(isset($_POST['following'])){
|
||||
@ -353,7 +347,7 @@ class ConversationsController{
|
||||
user_login_required();
|
||||
|
||||
//Get the ID of the conversation to refresh
|
||||
$conversationID = getPostConversationID("conversationID");
|
||||
$conversationID = $this->getSafePostConversationID("conversationID");
|
||||
|
||||
//Get the last message ID downloaded by the client
|
||||
if(!isset($_POST['last_message_id']))
|
||||
@ -361,10 +355,6 @@ class ConversationsController{
|
||||
|
||||
$last_message_id = toInt($_POST['last_message_id']);
|
||||
|
||||
//Check if the current user can access the conversation
|
||||
if(!CS::get()->components->conversations->userBelongsTo(userID, $conversationID))
|
||||
Rest_fatal_error(401, "Specified user doesn't belongs to the conversation number ".$conversationID." !");
|
||||
|
||||
//Check if user has already some of the messages of the conversations, or
|
||||
//If we have to return the list of the last ten messages
|
||||
if($last_message_id == 0){
|
||||
|
Loading…
Reference in New Issue
Block a user