Commit beee64f0 authored by chandi's avatar chandi Committed by Matthias Larisch

fixed authorization for xhrapp.php?app=wallpost

parent 052fb7d5
......@@ -15,7 +15,7 @@ class WallPostView extends View
$this->wallId = $wallId;
}
public function posts($posts)
public function posts($posts, $mayDelete)
{
/*
[0] => Array
......@@ -56,10 +56,7 @@ class WallPostView extends View
</div>';
}
$del = '';
if (
$p['foodsaver_id'] == $this->session->id()
|| (!in_array($this->table, array('fairteiler', 'foodsaver')) && ($this->session->isAmbassador() || $this->session->isOrgaTeam()))
) {
if ($mayDelete || $p['foodsaver_id'] == $this->session->id()) {
$del = '<span class="dot">·</span><a onclick="u_delPost(' . $p['id'] . ', \'' . $this->table . '\', ' . $this->wallId . ');return false;" href="#p' . $p['id'] . '" class="pdelete light">' . $this->func->s('delete') . '</a>';
}
......
......@@ -50,7 +50,18 @@ class WallPostXhr extends Control
{
if ((int)$_GET['post'] > 0) {
$postId = (int)$_GET['post'];
if (!$this->wallPostGateway->isLinkedToTarget($postId, $this->table, $this->id)) {
return array(
'status' => 0
);
}
$fs = $this->wallPostGateway->getFsByPost($postId);
if ($fs !== $this->session->id() && !$this->wallPostPermissions->mayDeleteFromWall($this->session->id(), $this->table, $this->id)) {
return XhrResponses::PERMISSION_DENIED;
}
if ($fs == $this->session->id()
|| (!in_array($this->table, array('fairteiler', 'foodsaver')) && ($this->session->isAmbassador() || $this->session->isOrgaTeam()))
) {
......@@ -75,7 +86,7 @@ class WallPostXhr extends Control
if ($posts = $this->wallPostGateway->getPosts($this->table, $this->id)) {
return array(
'status' => 1,
'html' => $this->view->posts($posts)
'html' => $this->view->posts($posts, $this->wallPostPermissions->mayDeleteFromWall($this->session->id(), $this->table, $this->id))
);
}
} else {
......@@ -87,6 +98,9 @@ class WallPostXhr extends Control
public function quickreply()
{
if (!$this->wallPostPermissions->mayWriteWall($this->session->id(), $this->table, $this->id)) {
return XhrResponses::PERMISSION_DENIED;
}
$message = trim(strip_tags($_POST['msg'] ?? ''));
if (!empty($message)) {
......@@ -140,7 +154,7 @@ class WallPostXhr extends Control
return array(
'status' => 1,
'html' => $this->view->posts($this->wallPostGateway->getPosts($this->table, $this->id))
'html' => $this->view->posts($this->wallPostGateway->getPosts($this->table, $this->id), $this->wallPostPermissions->mayDeleteFromWall($this->session->id(), $this->table, $this->id))
);
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment