Skip to content

Commit c5d5a9f

Browse files
carlbennettcarlbennett
committed
Perform ACL checking on content deletion
1 parent 7b1e585 commit c5d5a9f

File tree

3 files changed

+29
-0
lines changed

3 files changed

+29
-0
lines changed

src/controllers/Comment/Delete.php

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,11 +38,18 @@ public function run(Router &$router) {
3838
$model->parent_type = null;
3939
$model->title = null;
4040
$model->user_session = UserSession::load($router);
41+
$model->user = (isset($model->user_session) ?
42+
new User($model->user_session->user_id) : null);
4143

4244
try { $model->comment = new Comment($model->id); }
4345
catch (CommentNotFoundException $e) { $model->comment = null; }
4446
catch (InvalidArgumentException $e) { $model->comment = null; }
4547

48+
$model->acl_allowed = ($model->user &&
49+
($model->user->getOptionsBitmask() & User::OPTION_ACL_COMMENT_DELETE)
50+
|| ($model->user_session->user_id == $model->comment->getUserId())
51+
);
52+
4653
if ($model->comment === null) {
4754
$model->error = "NOT_FOUND";
4855
} else {

src/controllers/Document/Delete.php

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,12 @@ public function run(Router &$router) {
3535
$model->id = (isset($data["id"]) ? $data["id"] : null);
3636
$model->title = null;
3737
$model->user_session = UserSession::load($router);
38+
$model->user = (isset($model->user_session) ?
39+
new User($model->user_session->user_id) : null);
40+
41+
$model->acl_allowed = ($model->user &&
42+
$model->user->getOptionsBitmask() & User::OPTION_ACL_DOCUMENT_DELETE
43+
);
3844

3945
try { $model->document = new Document($model->id); }
4046
catch (DocumentNotFoundException $e) { $model->document = null; }
@@ -76,6 +82,11 @@ protected function tryDelete(Router &$router, DocumentDeleteModel &$model) {
7682
}
7783
CSRF::invalidate($csrf_id);
7884

85+
if (!$model->acl_allowed) {
86+
$model->error = "ACL_NOT_SET";
87+
return;
88+
}
89+
7990
$model->error = false;
8091

8192
$id = (int) $model->id;

src/controllers/News/Delete.php

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,12 @@ public function run(Router &$router) {
3535
$model->news_post = null;
3636
$model->title = null;
3737
$model->user_session = UserSession::load($router);
38+
$model->user = (isset($model->user_session) ?
39+
new User($model->user_session->user_id) : null);
40+
41+
$model->acl_allowed = ($model->user &&
42+
$model->user->getOptionsBitmask() & User::OPTION_ACL_NEWS_DELETE
43+
);
3844

3945
try { $model->news_post = new NewsPost($model->id); }
4046
catch (NewsPostNotFoundException $e) { $model->news_post = null; }
@@ -76,6 +82,11 @@ protected function tryDelete(Router &$router, NewsDeleteModel &$model) {
7682
}
7783
CSRF::invalidate($csrf_id);
7884

85+
if (!$model->acl_allowed) {
86+
$model->error = "ACL_NOT_SET";
87+
return;
88+
}
89+
7990
$model->error = false;
8091

8192
$id = (int) $model->id;

0 commit comments

Comments
 (0)