[COMPONENT][Attachment][Controller] Security fix: We were not ensuring that attachment was related to note
This commit is contained in:
parent
47f03d4c9f
commit
5c7b079df5
@ -35,6 +35,7 @@ use App\Util\Exception\NoSuchFileException;
|
||||
use App\Util\Exception\NotFoundException;
|
||||
use App\Util\Exception\ServerException;
|
||||
use Component\Attachment\Entity\AttachmentThumbnail;
|
||||
use Component\Attachment\Entity\AttachmentToNote;
|
||||
use Symfony\Component\HttpFoundation\HeaderUtils;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
@ -50,7 +51,12 @@ class Attachment extends Controller
|
||||
$attachment = DB::findOneBy('attachment', ['id' => $attachment_id]);
|
||||
$note = \is_int($note) ? Note::getById($note) : $note;
|
||||
|
||||
// Before anything, ensure proper scope
|
||||
// Before anything, two very important things!
|
||||
// first: ensure this attachment is associated with this note
|
||||
if (DB::count(AttachmentToNote::class, ['attachment_id' => $attachment->getId(), 'note_id' => $note->getId()]) <= 0) {
|
||||
throw new ClientException(_m('No such attachment.'), 404);
|
||||
}
|
||||
// second: ensure proper scope
|
||||
if (!$note->isVisibleTo(Common::actor())) {
|
||||
throw new ClientException(_m('You don\'t have permissions to view this attachment.'), 401);
|
||||
}
|
||||
@ -145,12 +151,18 @@ class Attachment extends Controller
|
||||
*/
|
||||
public function attachmentThumbnailWithNote(Request $request, int $note_id, int $attachment_id, string $size = 'small'): Response
|
||||
{
|
||||
// Before anything, ensure proper scope
|
||||
if (!Note::getById($note_id)->isVisibleTo(Common::actor())) {
|
||||
throw new ClientException(_m('You don\'t have permissions to view this thumbnail.'), 401);
|
||||
}
|
||||
|
||||
$attachment = DB::findOneBy('attachment', ['id' => $attachment_id]);
|
||||
$note = Note::getById($note_id);
|
||||
|
||||
// Before anything, two very important things!
|
||||
// first: ensure this attachment is associated with this note
|
||||
if (DB::count(AttachmentToNote::class, ['attachment_id' => $attachment->getId(), 'note_id' => $note->getId()]) <= 0) {
|
||||
throw new ClientException(_m('No such attachment.'), 404);
|
||||
}
|
||||
// second: ensure proper scope
|
||||
if (!$note->isVisibleTo(Common::actor())) {
|
||||
throw new ClientException(_m('You don\'t have permissions to view this attachment.'), 401);
|
||||
}
|
||||
|
||||
$crop = Common::config('thumbnail', 'smart_crop');
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user