natalie/indefero
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Added better control that the issue/download are in the project.

Browse Source 
When you view/edit a download or issue, if the download/issue is not in
the current project a 404 page is returned.
This commit is contained in:
Loic d'Anterroches 2008-08-05 19:58:21 +02:00
parent 5e3b2bac28
commit 3990098e4b
3 changed files with 19 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/IDF/Project.php
View File

@ -319,4 +319,20 @@ class IDF_Project extends Pluf_Model
// containing a series of git repositories // containing a series of git repositories
return $gitrep.'/'.$this->shortname.'.git'; return $gitrep.'/'.$this->shortname.'.git';
} }
/**
* Check that the object belongs to the project or rise a 404
* error.
*
* By convention, all the objects belonging to a project have the
* 'project' property set, so this is easy to check.
*
* @param Pluf_Model
*/
public function inOr404($obj)
{
if ($obj->project != $this->id) {
throw new Pluf_HTTP_Error404();
}
}
} }

10
src/IDF/Views/Download.php
View File

@ -77,9 +77,7 @@ class IDF_Views_Download
{ {
$prj = $request->project; $prj = $request->project;
$upload = Pluf_Shortcuts_GetObjectOr404('IDF_Upload', $match[2]); $upload = Pluf_Shortcuts_GetObjectOr404('IDF_Upload', $match[2]);
if ($upload->project != $prj->id) { $prj->inOr404($upload);
throw new Pluf_HTTP_Error404();
}
$title = sprintf(__('Download %s'), $upload->summary); $title = sprintf(__('Download %s'), $upload->summary);
$form = false; $form = false;
if ($request->method == 'POST' and if ($request->method == 'POST' and
@ -121,9 +119,7 @@ class IDF_Views_Download
{ {
$prj = $request->project; $prj = $request->project;
$upload = Pluf_Shortcuts_GetObjectOr404('IDF_Upload', $match[2]); $upload = Pluf_Shortcuts_GetObjectOr404('IDF_Upload', $match[2]);
if ($upload->project != $prj->id) { $prj->inOr404($upload);
throw new Pluf_HTTP_Error404();
}
$upload->downloads += 1; $upload->downloads += 1;
$upload->update(); $upload->update();
return new Pluf_HTTP_Response_Redirect($upload->getAbsoluteUrl($prj)); return new Pluf_HTTP_Response_Redirect($upload->getAbsoluteUrl($prj));
@ -199,8 +195,6 @@ class IDF_Views_Download
*/ */
function IDF_Views_Download_SummaryAndLabels($field, $down, $extra='') function IDF_Views_Download_SummaryAndLabels($field, $down, $extra='')
{ {
//$edit = Pluf_HTTP_URL_urlForView('IDF_Views_Download::view',
// array($down->shortname, $down->id));
$tags = array(); $tags = array();
foreach ($down->get_tags_list() as $tag) { foreach ($down->get_tags_list() as $tag) {
$tags[] = sprintf('<span class="label">%s</span>', Pluf_esc((string) $tag)); $tags[] = sprintf('<span class="label">%s</span>', Pluf_esc((string) $tag));

4
src/IDF/Views/Issue.php
View File

@ -161,9 +161,7 @@ class IDF_Views_Issue
{ {
$prj = $request->project; $prj = $request->project;
$issue = Pluf_Shortcuts_GetObjectOr404('IDF_Issue', $match[2]); $issue = Pluf_Shortcuts_GetObjectOr404('IDF_Issue', $match[2]);
if ($issue->project != $prj->id) { $prj->inOr404($issue);
throw new Pluf_HTTP_Error404();
}
$comments = $issue->get_comments_list(array('order' => 'id ASC')); $comments = $issue->get_comments_list(array('order' => 'id ASC'));
$url = Pluf_HTTP_URL_urlForView('IDF_Views_Issue::view', $url = Pluf_HTTP_URL_urlForView('IDF_Views_Issue::view',
array($prj->shortname, $issue->id)); array($prj->shortname, $issue->id));