aboutsummaryrefslogtreecommitdiffhomepage
path: root/inc/poche/Poche.class.php
diff options
context:
space:
mode:
authorNicolas LÅ“uillet <nicolas.loeuillet@gmail.com>2014-02-19 13:25:28 +0100
committerNicolas LÅ“uillet <nicolas.loeuillet@gmail.com>2014-02-19 13:25:28 +0100
commitb89d5a2bf48c2c1eb796963b3401aca498618ec4 (patch)
treef9ab84e607cb54bdb0dc1d0027435af213a722f3 /inc/poche/Poche.class.php
parent53ae58e1a1bf097b8eb1af3a532ebf25630f96ec (diff)
downloadwallabag-b89d5a2bf48c2c1eb796963b3401aca498618ec4.tar.gz
wallabag-b89d5a2bf48c2c1eb796963b3401aca498618ec4.tar.zst
wallabag-b89d5a2bf48c2c1eb796963b3401aca498618ec4.zip
[fix] security problems with tags
Diffstat (limited to 'inc/poche/Poche.class.php')
-rw-r--r--inc/poche/Poche.class.php26
1 files changed, 22 insertions, 4 deletions
diff --git a/inc/poche/Poche.class.php b/inc/poche/Poche.class.php
index 76169297..753bd7f0 100644
--- a/inc/poche/Poche.class.php
+++ b/inc/poche/Poche.class.php
@@ -463,6 +463,12 @@ class Poche
463 case 'add_tag' : 463 case 'add_tag' :
464 $tags = explode(',', $_POST['value']); 464 $tags = explode(',', $_POST['value']);
465 $entry_id = $_POST['entry_id']; 465 $entry_id = $_POST['entry_id'];
466 $entry = $this->store->retrieveOneById($entry_id, $this->user->getId());
467 if (!$entry) {
468 $this->messages->add('e', _('Article not found!'));
469 Tools::logm('error : article not found');
470 Tools::redirect();
471 }
466 foreach($tags as $key => $tag_value) { 472 foreach($tags as $key => $tag_value) {
467 $value = trim($tag_value); 473 $value = trim($tag_value);
468 $tag = $this->store->retrieveTagByValue($value); 474 $tag = $this->store->retrieveTagByValue($value);
@@ -487,6 +493,12 @@ class Poche
487 break; 493 break;
488 case 'remove_tag' : 494 case 'remove_tag' :
489 $tag_id = $_GET['tag_id']; 495 $tag_id = $_GET['tag_id'];
496 $entry = $this->store->retrieveOneById($id, $this->user->getId());
497 if (!$entry) {
498 $this->messages->add('e', _('Article not found!'));
499 Tools::logm('error : article not found');
500 Tools::redirect();
501 }
490 $this->store->removeTagForEntry($id, $tag_id); 502 $this->store->removeTagForEntry($id, $tag_id);
491 Tools::redirect(); 503 Tools::redirect();
492 break; 504 break;
@@ -525,6 +537,12 @@ class Poche
525 break; 537 break;
526 case 'edit-tags': 538 case 'edit-tags':
527 # tags 539 # tags
540 $entry = $this->store->retrieveOneById($id, $this->user->getId());
541 if (!$entry) {
542 $this->messages->add('e', _('Article not found!'));
543 Tools::logm('error : article not found');
544 Tools::redirect();
545 }
528 $tags = $this->store->retrieveTagsByEntry($id); 546 $tags = $this->store->retrieveTagsByEntry($id);
529 $tpl_vars = array( 547 $tpl_vars = array(
530 'entry_id' => $id, 548 'entry_id' => $id,
@@ -532,8 +550,8 @@ class Poche
532 ); 550 );
533 break; 551 break;
534 case 'tag': 552 case 'tag':
535 $entries = $this->store->retrieveEntriesByTag($id); 553 $entries = $this->store->retrieveEntriesByTag($id, $this->user->getId());
536 $tag = $this->store->retrieveTag($id); 554 $tag = $this->store->retrieveTag($id, $this->user->getId());
537 $tpl_vars = array( 555 $tpl_vars = array(
538 'tag' => $tag, 556 'tag' => $tag,
539 'entries' => $entries, 557 'entries' => $entries,
@@ -541,7 +559,7 @@ class Poche
541 break; 559 break;
542 case 'tags': 560 case 'tags':
543 $token = $this->user->getConfigValue('token'); 561 $token = $this->user->getConfigValue('token');
544 $tags = $this->store->retrieveAllTags(); 562 $tags = $this->store->retrieveAllTags($this->user->getId());
545 $tpl_vars = array( 563 $tpl_vars = array(
546 'token' => $token, 564 'token' => $token,
547 'user_id' => $this->user->getId(), 565 'user_id' => $this->user->getId(),
@@ -1056,7 +1074,7 @@ class Poche
1056 $feed->setChannelElement('author', 'wallabag'); 1074 $feed->setChannelElement('author', 'wallabag');
1057 1075
1058 if ($type == 'tag') { 1076 if ($type == 'tag') {
1059 $entries = $this->store->retrieveEntriesByTag($tag_id); 1077 $entries = $this->store->retrieveEntriesByTag($tag_id, $user_id);
1060 } 1078 }
1061 else { 1079 else {
1062 $entries = $this->store->getEntriesByView($type, $user_id); 1080 $entries = $this->store->getEntriesByView($type, $user_id);