Add explicit check for PermissionSet and ProfileField

This commit is contained in:
Philipp 2021-10-07 20:48:39 +02:00
parent 03164d00e8
commit f73e4adc44
No known key found for this signature in database
GPG Key ID: 24A7501396EB5432
3 changed files with 15 additions and 24 deletions

View File

@ -23,6 +23,7 @@ namespace Friendica\Model;
use Friendica\BaseModel; use Friendica\BaseModel;
use Friendica\Database\Database; use Friendica\Database\Database;
use Friendica\Network\HTTPException\NotFoundException;
use Friendica\Security\PermissionSet\Depository\PermissionSet as PermissionSetDepository; use Friendica\Security\PermissionSet\Depository\PermissionSet as PermissionSetDepository;
use Friendica\Security\PermissionSet\Entity\PermissionSet; use Friendica\Security\PermissionSet\Entity\PermissionSet;
use Psr\Log\LoggerInterface; use Psr\Log\LoggerInterface;
@ -40,12 +41,12 @@ use Psr\Log\LoggerInterface;
* @property string value * @property string value
* @property string created * @property string created
* @property string edited * @property string edited
* @property PermissionSet permissionset * @property PermissionSet permissionSet
*/ */
class ProfileField extends BaseModel class ProfileField extends BaseModel
{ {
/** @var PermissionSet */ /** @var PermissionSet */
private $permissionset; private $permissionSet;
/** @var PermissionSetDepository */ /** @var PermissionSetDepository */
private $permissionSetDepository; private $permissionSetDepository;
@ -62,10 +63,17 @@ class ProfileField extends BaseModel
$this->checkValid(); $this->checkValid();
switch ($name) { switch ($name) {
case 'permissionset': case 'permissionSet':
$this->permissionset = $this->permissionset ?? $this->permissionSetDepository->selectOneForUser($this->uid, $this->psid); if (empty($this->permissionSet)) {
$permissionSet = $this->permissionSetDepository->selectOneById($this->psid);
if ($permissionSet->uid !== $this->uid) {
throw new NotFoundException(sprintf('PermissionSet %d for ProfileSet %d is invalid.', $permissionSet->uid, $this->uid));
}
$return = $this->permissionset; $this->permissionSet = $permissionSet;
}
$return = $this->permissionSet;
break; break;
default: default:
$return = parent::__get($name); $return = parent::__get($name);

View File

@ -162,8 +162,8 @@ class Index extends BaseSettings
$profileFields = DI::profileField()->selectByUserId(local_user()); $profileFields = DI::profileField()->selectByUserId(local_user());
foreach ($profileFields as $profileField) { foreach ($profileFields as $profileField) {
/** @var ProfileField $profileField */ /** @var ProfileField $profileField */
$defaultPermissions = $profileField->permissionset->withAllowedContacts( $defaultPermissions = $profileField->permissionSet->withAllowedContacts(
Contact::pruneUnavailable($profileField->permissionset->allow_cid) Contact::pruneUnavailable($profileField->permissionSet->allow_cid)
); );
$custom_fields[] = [ $custom_fields[] = [

View File

@ -177,23 +177,6 @@ class PermissionSet extends BaseDepository
return $this->selectOrCreate($this->factory->createFromString($uid)); return $this->selectOrCreate($this->factory->createFromString($uid));
} }
/**
* Fetch one PermissionSet with check for ownership
*
* @param int $uid The user id
* @param int $id The unique id of the PermissionSet
*
* @return Entity\PermissionSet
* @throws NotFoundException in case either the id is invalid or the PermissionSet does not relay to the given user
*/
public function selectOneForUser(int $uid, int $id): Entity\PermissionSet
{
return $this->selectOne([
'id' => $id,
'uid' => $uid,
]);
}
/** /**
* Selects or creates a PermissionSet based on it's fields * Selects or creates a PermissionSet based on it's fields
* *