Commit 900003c5 authored by Robert Lyon's avatar Robert Lyon
Browse files

Double-check the viewid when setting up watchlist viewing (Bug 1429647)



A person can alter the viewid passed to the watchlist ajax update and
so a user can end up watching a view they have no access to

Change-Id: I21d00963ac3d9d53e337bcb0a7162bd2a1da1802
Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
parent 48560325
......@@ -156,7 +156,9 @@ addLoadEvent(function () {
artefactid = null;
}
sendjsonrequest(config.wwwroot + 'view/togglewatchlist.json.php', {'view': viewid, 'artefact': artefactid}, 'POST', function(data) {
$('toggle_watchlist_link').innerHTML = data.newtext;
if (data.newtext) {
$('toggle_watchlist_link').innerHTML = data.newtext;
}
});
});
}
......
......@@ -25,6 +25,12 @@ $data->ctime = db_format_timestamp(time());
$result = new StdClass;
require_once(get_config('libroot') . 'view.php');
$view = new View($viewid);
// Check that we can actually access the view and not just hacking the viewid passed in
if (!can_view_view($view)) {
$result->message = get_string('updatewatchlistfailed', 'view');
json_reply('local', $result);
}
$title = $view->get('title');
if (get_record('usr_watchlist_view', 'usr', $data->usr, 'view', $viewid)) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment