[PLUGIN][AttachmentCollections] Prevent user from appending stuff in a collection (s)he doesn't own

2021-12-25 11:27:00 -03:00 · 2021-12-25 11:27:00 -03:00 · af3d278fde
parent 1e965157de
commit af3d278fde
1 changed files with 8 additions and 4 deletions
--- a/plugins/AttachmentCollections/AttachmentCollections.php
+++ b/plugins/AttachmentCollections/AttachmentCollections.php
@ -153,11 +153,15 @@ class AttachmentCollections extends Plugin
                    ['aid' => $attachment_id, 'id' => $user->getId(), 'ids' => $removed]
                );
            }
+            $collection_ids = \array_map(fn ($x) => $x->getId(), $colls);
            foreach ($added as $cid) {
-                DB::persist(CollectionEntry::create([
-                    'attachment_id' => $attachment_id,
-                    'collection_id' => $cid,
-                ]));
+                // prevent user from putting something in a collection (s)he doesn't own:
+                if (\in_array($cid, $collection_ids)) {
+                    DB::persist(CollectionEntry::create([
+                        'attachment_id' => $attachment_id,
+                        'collection_id' => $cid,
+                    ]));
+                }
            }
            DB::flush();
        }