added missing project membership check in xhr_import() and related functions in file.php and code.php

This commit is contained in:
hyung-hwan 2015-09-08 04:22:35 +00:00
parent c0126a059e
commit 13fcabd21e
2 changed files with 46 additions and 21 deletions

View File

@ -351,7 +351,7 @@ class Code extends Controller
if ($login['id'] == '') if ($login['id'] == '')
{ {
$status = 'signin'; $status = 'error - anonymous user';
} }
else else
{ {
@ -362,11 +362,16 @@ class Code extends Controller
$project = $this->projects->get ($projectid); $project = $this->projects->get ($projectid);
if ($project === FALSE) if ($project === FALSE)
{ {
$status = "dberr - failed to get the project {$projectid}"; $status = "error - failed to get the project {$projectid}";
} }
else if ($project === NULL) else if ($project === NULL)
{ {
$status = "noent - no such project {$projectid}"; $status = "error - no such project {$projectid}";
}
else if (!$login['sysadmin?'] &&
$this->projects->projectHasMember($projectid, $login['id']) === FALSE)
{
$status = "error - not a member {$login['id']}";
} }
else else
{ {
@ -399,7 +404,7 @@ class Code extends Controller
if (count($import_files) > 0 && $this->subversion->importFiles ($projectid, $path, $login['id'], $post_new_message, $import_files, $this->upload) === FALSE) if (count($import_files) > 0 && $this->subversion->importFiles ($projectid, $path, $login['id'], $post_new_message, $import_files, $this->upload) === FALSE)
{ {
$status = 'repoerr - ' . $this->subversion->getErrorMessage(); $status = 'error - ' . $this->subversion->getErrorMessage();
} }
else else
{ {
@ -408,7 +413,7 @@ class Code extends Controller
} }
else else
{ {
$status = 'posterr - invalid post data'; $status = 'error - invalid post data';
} }
} }
} }
@ -426,7 +431,7 @@ class Code extends Controller
if ($login['id'] == '') if ($login['id'] == '')
{ {
$status = 'signin'; $status = 'error - anonymous user';
} }
else else
{ {
@ -437,11 +442,16 @@ class Code extends Controller
$project = $this->projects->get ($projectid); $project = $this->projects->get ($projectid);
if ($project === FALSE) if ($project === FALSE)
{ {
$status = "dberr - failed to get the project {$projectid}"; $status = "error - failed to get the project {$projectid}";
} }
else if ($project === NULL) else if ($project === NULL)
{ {
$status = "noent - no such project {$projectid}"; $status = "error - no such project {$projectid}";
}
else if (!$login['sysadmin?'] &&
$this->projects->projectHasMember($projectid, $login['id']) === FALSE)
{
$status = "error - not a member {$login['id']}";
} }
else else
{ {
@ -462,7 +472,7 @@ class Code extends Controller
if (count($delete_files) > 0 && $this->subversion->deleteFiles ($projectid, $path, $login['id'], $post_delete_message, $delete_files) === FALSE) if (count($delete_files) > 0 && $this->subversion->deleteFiles ($projectid, $path, $login['id'], $post_delete_message, $delete_files) === FALSE)
{ {
$status = 'repoerr - ' . $this->subversion->getErrorMessage(); $status = 'error - ' . $this->subversion->getErrorMessage();
} }
else else
{ {
@ -471,7 +481,7 @@ class Code extends Controller
} }
else else
{ {
$status = 'posterr - invalid post data'; $status = 'error - invalid post data';
} }
} }
} }
@ -489,7 +499,7 @@ class Code extends Controller
if ($login['id'] == '') if ($login['id'] == '')
{ {
$status = 'signin'; $status = 'error - anonymous user';
} }
else else
{ {
@ -500,11 +510,16 @@ class Code extends Controller
$project = $this->projects->get ($projectid); $project = $this->projects->get ($projectid);
if ($project === FALSE) if ($project === FALSE)
{ {
$status = "dberr - failed to get the project {$projectid}"; $status = "error - failed to get the project {$projectid}";
} }
else if ($project === NULL) else if ($project === NULL)
{ {
$status = "noent - no such project {$projectid}"; $status = "error - no such project {$projectid}";
}
else if (!$login['sysadmin?'] &&
$this->projects->projectHasMember($projectid, $login['id']) === FALSE)
{
$status = "error - not a member {$login['id']}";
} }
else else
{ {
@ -525,7 +540,7 @@ class Code extends Controller
if (count($rename_files) > 0 && $this->subversion->renameFiles ($projectid, $path, $login['id'], $post_rename_message, $rename_files) === FALSE) if (count($rename_files) > 0 && $this->subversion->renameFiles ($projectid, $path, $login['id'], $post_rename_message, $rename_files) === FALSE)
{ {
$status = 'repoerr - ' . $this->subversion->getErrorMessage(); $status = 'error - ' . $this->subversion->getErrorMessage();
} }
else else
{ {
@ -534,7 +549,7 @@ class Code extends Controller
} }
else else
{ {
$status = 'posterr - invalid post data'; $status = 'error - invalid post data';
} }
} }
} }

View File

@ -346,18 +346,23 @@ class File extends Controller
if ($login['id'] == '') if ($login['id'] == '')
{ {
$status = 'signin'; $status = 'error - anonymous user';
} }
else else
{ {
$project = $this->projects->get ($projectid); $project = $this->projects->get ($projectid);
if ($project === FALSE) if ($project === FALSE)
{ {
$status = "dberr - failed to get the project {$projectid}"; $status = "error - failed to get the project {$projectid}";
} }
else if ($project === NULL) else if ($project === NULL)
{ {
$status = "noent - no such project {$projectid}"; $status = "error - no such project {$projectid}";
}
else if (!$login['sysadmin?'] &&
$this->projects->projectHasMember($projectid, $login['id']) === FALSE)
{
$status = "error - not a member {$login['id']}";
} }
else else
{ {
@ -425,9 +430,9 @@ class File extends Controller
} }
} }
} }
print $status;
} }
print $status;
} }
@ -440,7 +445,7 @@ class File extends Controller
if ($login['id'] == '') if ($login['id'] == '')
{ {
$status = 'signin'; $status = 'error - anonymous user';
} }
else else
{ {
@ -455,6 +460,11 @@ class File extends Controller
{ {
$status = "error - no such project {$projectid}"; $status = "error - no such project {$projectid}";
} }
else if (!$login['sysadmin?'] &&
$this->projects->projectHasMember($projectid, $login['id']) === FALSE)
{
$status = "error - not a member {$login['id']}";
}
else else
{ {
$post_delete_confirm = $this->input->post('file_delete_confirm'); $post_delete_confirm = $this->input->post('file_delete_confirm');