Uprageded the security of the conversations controller

This commit is contained in:
Pierre 2018-04-25 19:10:26 +02:00
parent a7eb02aa06
commit a351e9ff13

View File

@ -40,7 +40,7 @@ class ConversationsController{
user_login_required();
//Get conversation ID
$conversationID = getPostConversationID("conversationID");
$conversationID = $this->getSafePostConversationID("conversationID");
//Try to get informations about the conversation
$conversationsList = CS::get()->components->conversations->getList(userID, $conversationID);
@ -111,14 +111,8 @@ class ConversationsController{
public function updateSettings(){
user_login_required();
//Check conversation ID was specified
if(!isset($_POST["conversationID"]))
Rest_fatal_error(400, "Please specify a conversation ID !");
$conversationID = toInt($_POST["conversationID"]);
//Check if the user belongs to the conversation
if(!CS::get()->components->conversations->userBelongsTo(userID, $conversationID))
Rest_fatal_error("401", "Specified user doesn't belongs to the conversation !");
//Get conversationID
$conversationID = $this->getSafePostConversationID("conversationID");
//Check if user want to update its follow state
if(isset($_POST['following'])){
@ -353,7 +347,7 @@ class ConversationsController{
user_login_required();
//Get the ID of the conversation to refresh
$conversationID = getPostConversationID("conversationID");
$conversationID = $this->getSafePostConversationID("conversationID");
//Get the last message ID downloaded by the client
if(!isset($_POST['last_message_id']))
@ -361,10 +355,6 @@ class ConversationsController{
$last_message_id = toInt($_POST['last_message_id']);
//Check if the current user can access the conversation
if(!CS::get()->components->conversations->userBelongsTo(userID, $conversationID))
Rest_fatal_error(401, "Specified user doesn't belongs to the conversation number ".$conversationID." !");
//Check if user has already some of the messages of the conversations, or
//If we have to return the list of the last ten messages
if($last_message_id == 0){