Add explicit check for PermissionSet and ProfileField

This commit is contained in:
Philipp Holzer 2021-10-07 20:48:39 +02:00
parent 03164d00e8
commit f73e4adc44
Signed by: nupplaPhil
GPG key ID: 24A7501396EB5432
3 changed files with 15 additions and 24 deletions

View file

@ -23,6 +23,7 @@ namespace Friendica\Model;
use Friendica\BaseModel;
use Friendica\Database\Database;
use Friendica\Network\HTTPException\NotFoundException;
use Friendica\Security\PermissionSet\Depository\PermissionSet as PermissionSetDepository;
use Friendica\Security\PermissionSet\Entity\PermissionSet;
use Psr\Log\LoggerInterface;
@ -40,12 +41,12 @@ use Psr\Log\LoggerInterface;
* @property string value
* @property string created
* @property string edited
* @property PermissionSet permissionset
* @property PermissionSet permissionSet
*/
class ProfileField extends BaseModel
{
/** @var PermissionSet */
private $permissionset;
private $permissionSet;
/** @var PermissionSetDepository */
private $permissionSetDepository;
@ -62,10 +63,17 @@ class ProfileField extends BaseModel
$this->checkValid();
switch ($name) {
case 'permissionset':
$this->permissionset = $this->permissionset ?? $this->permissionSetDepository->selectOneForUser($this->uid, $this->psid);
case 'permissionSet':
if (empty($this->permissionSet)) {
$permissionSet = $this->permissionSetDepository->selectOneById($this->psid);
if ($permissionSet->uid !== $this->uid) {
throw new NotFoundException(sprintf('PermissionSet %d for ProfileSet %d is invalid.', $permissionSet->uid, $this->uid));
}
$return = $this->permissionset;
$this->permissionSet = $permissionSet;
}
$return = $this->permissionSet;
break;
default:
$return = parent::__get($name);

View file

@ -162,8 +162,8 @@ class Index extends BaseSettings
$profileFields = DI::profileField()->selectByUserId(local_user());
foreach ($profileFields as $profileField) {
/** @var ProfileField $profileField */
$defaultPermissions = $profileField->permissionset->withAllowedContacts(
Contact::pruneUnavailable($profileField->permissionset->allow_cid)
$defaultPermissions = $profileField->permissionSet->withAllowedContacts(
Contact::pruneUnavailable($profileField->permissionSet->allow_cid)
);
$custom_fields[] = [

View file

@ -177,23 +177,6 @@ class PermissionSet extends BaseDepository
return $this->selectOrCreate($this->factory->createFromString($uid));
}
/**
* Fetch one PermissionSet with check for ownership
*
* @param int $uid The user id
* @param int $id The unique id of the PermissionSet
*
* @return Entity\PermissionSet
* @throws NotFoundException in case either the id is invalid or the PermissionSet does not relay to the given user
*/
public function selectOneForUser(int $uid, int $id): Entity\PermissionSet
{
return $this->selectOne([
'id' => $id,
'uid' => $uid,
]);
}
/**
* Selects or creates a PermissionSet based on it's fields
*