fixes security issues in dashboar controller

This commit is contained in:
overflowerror 2021-01-17 22:55:43 +01:00
parent bf6b1ed3f6
commit 0471d4fd95

View file

@ -263,6 +263,12 @@ class DashboardController extends AbstractController
return $this->redirectToRoute("app_dashboard");
}
$user = $this->userService->getLoggedInUser();
if ($video->getUploader() != $user) {
throw new AccessDeniedHttpException();
}
$videoLink = new VideoLink();
$videoLink->setVideo($video);
$form = $this->createForm(VideoLinkType::class, $videoLink);
@ -271,7 +277,6 @@ class DashboardController extends AbstractController
if ($form->isSubmitted() && $form->isValid()) {
$videoLink = $form->getData();
$user = $this->userService->getLoggedInUser();
$videoLink->setCreator($user);
$videoLink->setCreated();
@ -347,6 +352,11 @@ class DashboardController extends AbstractController
return $this->redirectToRoute("app_dashboard");
}
$user = $this->userService->getLoggedInUser();
if ($videoLink->getCreator() != $user) {
throw new AccessDeniedHttpException();
}
$form = $this->createForm(VideoLinkType::class, $videoLink);
$form->handleRequest($request);