Added better control that the issue/download are in the project.

When you view/edit a download or issue, if the download/issue is not in the current project a 404 page is returned.
2008-08-05 19:58:21 +02:00 · 2008-08-05 19:58:21 +02:00 · 3990098e4b
commit 3990098e4b
parent 5e3b2bac28
3 changed files with 19 additions and 11 deletions
--- a/src/IDF/Project.php
+++ b/src/IDF/Project.php
@ -319,4 +319,20 @@ class IDF_Project extends Pluf_Model
        // containing a series of git repositories
        return $gitrep.'/'.$this->shortname.'.git';
    }
+
+    /**
+     * Check that the object belongs to the project or rise a 404
+     * error.
+     *
+     * By convention, all the objects belonging to a project have the
+     * 'project' property set, so this is easy to check.
+     *
+     * @param Pluf_Model 
+     */
+    public function inOr404($obj)
+    {
+        if ($obj->project != $this->id) {
+            throw new Pluf_HTTP_Error404();
+        }
+    }
 }
--- a/src/IDF/Views/Download.php
+++ b/src/IDF/Views/Download.php
@ -77,9 +77,7 @@ class IDF_Views_Download
    {
        $prj = $request->project;
        $upload = Pluf_Shortcuts_GetObjectOr404('IDF_Upload', $match[2]);
-        if ($upload->project != $prj->id) {
-            throw new Pluf_HTTP_Error404();
-        }
+        $prj->inOr404($upload);
        $title = sprintf(__('Download %s'), $upload->summary);
        $form = false;
        if ($request->method == 'POST' and
@ -121,9 +119,7 @@ class IDF_Views_Download
    {
        $prj = $request->project;
        $upload = Pluf_Shortcuts_GetObjectOr404('IDF_Upload', $match[2]);
-        if ($upload->project != $prj->id) {
-            throw new Pluf_HTTP_Error404();
-        }
+        $prj->inOr404($upload);
        $upload->downloads += 1;
        $upload->update();
        return new Pluf_HTTP_Response_Redirect($upload->getAbsoluteUrl($prj));
@ -199,8 +195,6 @@ class IDF_Views_Download
 */
 function IDF_Views_Download_SummaryAndLabels($field, $down, $extra='')
 {
-    //$edit = Pluf_HTTP_URL_urlForView('IDF_Views_Download::view', 
-    //                                     array($down->shortname, $down->id));
    $tags = array();
    foreach ($down->get_tags_list() as $tag) {
        $tags[] = sprintf('<span class="label">%s</span>', Pluf_esc((string) $tag));
--- a/src/IDF/Views/Issue.php
+++ b/src/IDF/Views/Issue.php
@ -161,9 +161,7 @@ class IDF_Views_Issue
    {
        $prj = $request->project;
        $issue = Pluf_Shortcuts_GetObjectOr404('IDF_Issue', $match[2]);
-        if ($issue->project != $prj->id) {
-            throw new Pluf_HTTP_Error404();
-        }
+        $prj->inOr404($issue);
        $comments = $issue->get_comments_list(array('order' => 'id ASC'));
        $url = Pluf_HTTP_URL_urlForView('IDF_Views_Issue::view',
                                        array($prj->shortname, $issue->id));