Commit f15322d7 authored by chandi's avatar chandi Committed by Matthias Larisch

fixed authorizations in xhrapp.php?app=wallpost

parent beee64f0
Pipeline #48475740 canceled with stages
......@@ -82,6 +82,10 @@ class WallPostXhr extends Control
public function update()
{
if (!$this->wallPostPermissions->mayReadWall($this->session->id(), $this->table, $this->id)) {
return XhrResponses::PERMISSION_DENIED;
}
if ((int)$this->wallPostGateway->getLastPostId($this->table, $this->id) != (int)$_GET['last']) {
if ($posts = $this->wallPostGateway->getPosts($this->table, $this->id)) {
return array(
......
......@@ -28,6 +28,10 @@ class WallPostPermissions
public function mayReadWall($fsId, $target, $targetId)
{
if (!$fsId) {
return false;
}
switch ($target) {
case 'bezirk':
return $this->regionGateway->hasMember($fsId, $targetId);
......@@ -49,6 +53,10 @@ class WallPostPermissions
public function mayWriteWall($fsId, $target, $targetId)
{
if (!$fsId) {
return false;
}
switch ($target) {
case 'foodsaver':
return $fsId == $targetId;
......@@ -70,6 +78,10 @@ class WallPostPermissions
*/
public function mayDeleteFromWall($fsId, $target, $targetId)
{
if (!$fsId) {
return false;
}
switch ($target) {
case 'foodsaver':
return $fsId == $targetId;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment