Comunic/ComunicAPI
1
0
Fork 0
mirror of https://github.com/pierre42100/ComunicAPI synced 2024-11-27 15:59:29 +00:00
Code Issues Projects Releases Wiki Activity

Uprageded the security of the conversations controller

Browse Source
This commit is contained in:
Pierre 2018-04-25 19:10:26 +02:00
parent a7eb02aa06
commit a351e9ff13
1 changed files with 4 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
RestControllers/ConversationsController.php
View File

@ -40,7 +40,7 @@ class ConversationsController{
user_login_required(); user_login_required();
//Get conversation ID //Get conversation ID
$conversationID = getPostConversationID("conversationID"); $conversationID = $this->getSafePostConversationID("conversationID");
//Try to get informations about the conversation //Try to get informations about the conversation
$conversationsList = CS::get()->components->conversations->getList(userID, $conversationID); $conversationsList = CS::get()->components->conversations->getList(userID, $conversationID);
@ -111,14 +111,8 @@ class ConversationsController{
public function updateSettings(){ public function updateSettings(){
user_login_required(); user_login_required();
//Check conversation ID was specified //Get conversationID
if(!isset($_POST["conversationID"])) $conversationID = $this->getSafePostConversationID("conversationID");
Rest_fatal_error(400, "Please specify a conversation ID !");
$conversationID = toInt($_POST["conversationID"]);
//Check if the user belongs to the conversation
if(!CS::get()->components->conversations->userBelongsTo(userID, $conversationID))
Rest_fatal_error("401", "Specified user doesn't belongs to the conversation !");
//Check if user want to update its follow state //Check if user want to update its follow state
if(isset($_POST['following'])){ if(isset($_POST['following'])){
@ -353,7 +347,7 @@ class ConversationsController{
user_login_required(); user_login_required();
//Get the ID of the conversation to refresh //Get the ID of the conversation to refresh
$conversationID = getPostConversationID("conversationID"); $conversationID = $this->getSafePostConversationID("conversationID");
//Get the last message ID downloaded by the client //Get the last message ID downloaded by the client
if(!isset($_POST['last_message_id'])) if(!isset($_POST['last_message_id']))
@ -361,10 +355,6 @@ class ConversationsController{
$last_message_id = toInt($_POST['last_message_id']); $last_message_id = toInt($_POST['last_message_id']);
//Check if the current user can access the conversation
if(!CS::get()->components->conversations->userBelongsTo(userID, $conversationID))
Rest_fatal_error(401, "Specified user doesn't belongs to the conversation number ".$conversationID." !");
//Check if user has already some of the messages of the conversations, or //Check if user has already some of the messages of the conversations, or
//If we have to return the list of the last ten messages //If we have to return the list of the last ten messages
if($last_message_id == 0){ if($last_message_id == 0){