diff options
author | Nicolas LÅ“uillet <nicolas.loeuillet@gmail.com> | 2014-02-19 13:25:28 +0100 |
---|---|---|
committer | Nicolas LÅ“uillet <nicolas.loeuillet@gmail.com> | 2014-02-19 13:25:28 +0100 |
commit | b89d5a2bf48c2c1eb796963b3401aca498618ec4 (patch) | |
tree | f9ab84e607cb54bdb0dc1d0027435af213a722f3 /inc/poche/Poche.class.php | |
parent | 53ae58e1a1bf097b8eb1af3a532ebf25630f96ec (diff) | |
download | wallabag-b89d5a2bf48c2c1eb796963b3401aca498618ec4.tar.gz wallabag-b89d5a2bf48c2c1eb796963b3401aca498618ec4.tar.zst wallabag-b89d5a2bf48c2c1eb796963b3401aca498618ec4.zip |
[fix] security problems with tags
Diffstat (limited to 'inc/poche/Poche.class.php')
-rw-r--r-- | inc/poche/Poche.class.php | 26 |
1 files changed, 22 insertions, 4 deletions
diff --git a/inc/poche/Poche.class.php b/inc/poche/Poche.class.php index 76169297..753bd7f0 100644 --- a/inc/poche/Poche.class.php +++ b/inc/poche/Poche.class.php | |||
@@ -463,6 +463,12 @@ class Poche | |||
463 | case 'add_tag' : | 463 | case 'add_tag' : |
464 | $tags = explode(',', $_POST['value']); | 464 | $tags = explode(',', $_POST['value']); |
465 | $entry_id = $_POST['entry_id']; | 465 | $entry_id = $_POST['entry_id']; |
466 | $entry = $this->store->retrieveOneById($entry_id, $this->user->getId()); | ||
467 | if (!$entry) { | ||
468 | $this->messages->add('e', _('Article not found!')); | ||
469 | Tools::logm('error : article not found'); | ||
470 | Tools::redirect(); | ||
471 | } | ||
466 | foreach($tags as $key => $tag_value) { | 472 | foreach($tags as $key => $tag_value) { |
467 | $value = trim($tag_value); | 473 | $value = trim($tag_value); |
468 | $tag = $this->store->retrieveTagByValue($value); | 474 | $tag = $this->store->retrieveTagByValue($value); |
@@ -487,6 +493,12 @@ class Poche | |||
487 | break; | 493 | break; |
488 | case 'remove_tag' : | 494 | case 'remove_tag' : |
489 | $tag_id = $_GET['tag_id']; | 495 | $tag_id = $_GET['tag_id']; |
496 | $entry = $this->store->retrieveOneById($id, $this->user->getId()); | ||
497 | if (!$entry) { | ||
498 | $this->messages->add('e', _('Article not found!')); | ||
499 | Tools::logm('error : article not found'); | ||
500 | Tools::redirect(); | ||
501 | } | ||
490 | $this->store->removeTagForEntry($id, $tag_id); | 502 | $this->store->removeTagForEntry($id, $tag_id); |
491 | Tools::redirect(); | 503 | Tools::redirect(); |
492 | break; | 504 | break; |
@@ -525,6 +537,12 @@ class Poche | |||
525 | break; | 537 | break; |
526 | case 'edit-tags': | 538 | case 'edit-tags': |
527 | # tags | 539 | # tags |
540 | $entry = $this->store->retrieveOneById($id, $this->user->getId()); | ||
541 | if (!$entry) { | ||
542 | $this->messages->add('e', _('Article not found!')); | ||
543 | Tools::logm('error : article not found'); | ||
544 | Tools::redirect(); | ||
545 | } | ||
528 | $tags = $this->store->retrieveTagsByEntry($id); | 546 | $tags = $this->store->retrieveTagsByEntry($id); |
529 | $tpl_vars = array( | 547 | $tpl_vars = array( |
530 | 'entry_id' => $id, | 548 | 'entry_id' => $id, |
@@ -532,8 +550,8 @@ class Poche | |||
532 | ); | 550 | ); |
533 | break; | 551 | break; |
534 | case 'tag': | 552 | case 'tag': |
535 | $entries = $this->store->retrieveEntriesByTag($id); | 553 | $entries = $this->store->retrieveEntriesByTag($id, $this->user->getId()); |
536 | $tag = $this->store->retrieveTag($id); | 554 | $tag = $this->store->retrieveTag($id, $this->user->getId()); |
537 | $tpl_vars = array( | 555 | $tpl_vars = array( |
538 | 'tag' => $tag, | 556 | 'tag' => $tag, |
539 | 'entries' => $entries, | 557 | 'entries' => $entries, |
@@ -541,7 +559,7 @@ class Poche | |||
541 | break; | 559 | break; |
542 | case 'tags': | 560 | case 'tags': |
543 | $token = $this->user->getConfigValue('token'); | 561 | $token = $this->user->getConfigValue('token'); |
544 | $tags = $this->store->retrieveAllTags(); | 562 | $tags = $this->store->retrieveAllTags($this->user->getId()); |
545 | $tpl_vars = array( | 563 | $tpl_vars = array( |
546 | 'token' => $token, | 564 | 'token' => $token, |
547 | 'user_id' => $this->user->getId(), | 565 | 'user_id' => $this->user->getId(), |
@@ -1056,7 +1074,7 @@ class Poche | |||
1056 | $feed->setChannelElement('author', 'wallabag'); | 1074 | $feed->setChannelElement('author', 'wallabag'); |
1057 | 1075 | ||
1058 | if ($type == 'tag') { | 1076 | if ($type == 'tag') { |
1059 | $entries = $this->store->retrieveEntriesByTag($tag_id); | 1077 | $entries = $this->store->retrieveEntriesByTag($tag_id, $user_id); |
1060 | } | 1078 | } |
1061 | else { | 1079 | else { |
1062 | $entries = $this->store->getEntriesByView($type, $user_id); | 1080 | $entries = $this->store->getEntriesByView($type, $user_id); |