Commit f15322d7 authored by chandi's avatar chandi Committed by Matthias Larisch

fixed authorizations in xhrapp.php?app=wallpost

parent beee64f0
Pipeline #48475740 canceled with stages
...@@ -82,6 +82,10 @@ class WallPostXhr extends Control ...@@ -82,6 +82,10 @@ class WallPostXhr extends Control
public function update() public function update()
{ {
if (!$this->wallPostPermissions->mayReadWall($this->session->id(), $this->table, $this->id)) {
return XhrResponses::PERMISSION_DENIED;
}
if ((int)$this->wallPostGateway->getLastPostId($this->table, $this->id) != (int)$_GET['last']) { if ((int)$this->wallPostGateway->getLastPostId($this->table, $this->id) != (int)$_GET['last']) {
if ($posts = $this->wallPostGateway->getPosts($this->table, $this->id)) { if ($posts = $this->wallPostGateway->getPosts($this->table, $this->id)) {
return array( return array(
......
...@@ -28,6 +28,10 @@ class WallPostPermissions ...@@ -28,6 +28,10 @@ class WallPostPermissions
public function mayReadWall($fsId, $target, $targetId) public function mayReadWall($fsId, $target, $targetId)
{ {
if (!$fsId) {
return false;
}
switch ($target) { switch ($target) {
case 'bezirk': case 'bezirk':
return $this->regionGateway->hasMember($fsId, $targetId); return $this->regionGateway->hasMember($fsId, $targetId);
...@@ -49,6 +53,10 @@ class WallPostPermissions ...@@ -49,6 +53,10 @@ class WallPostPermissions
public function mayWriteWall($fsId, $target, $targetId) public function mayWriteWall($fsId, $target, $targetId)
{ {
if (!$fsId) {
return false;
}
switch ($target) { switch ($target) {
case 'foodsaver': case 'foodsaver':
return $fsId == $targetId; return $fsId == $targetId;
...@@ -70,6 +78,10 @@ class WallPostPermissions ...@@ -70,6 +78,10 @@ class WallPostPermissions
*/ */
public function mayDeleteFromWall($fsId, $target, $targetId) public function mayDeleteFromWall($fsId, $target, $targetId)
{ {
if (!$fsId) {
return false;
}
switch ($target) { switch ($target) {
case 'foodsaver': case 'foodsaver':
return $fsId == $targetId; return $fsId == $targetId;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment