mirror of
https://github.com/sigmasternchen/MyTube
synced 2025-03-15 04:48:55 +00:00
fixes security issues in dashboar controller
This commit is contained in:
parent
bf6b1ed3f6
commit
0471d4fd95
1 changed files with 11 additions and 1 deletions
|
@ -263,6 +263,12 @@ class DashboardController extends AbstractController
|
|||
return $this->redirectToRoute("app_dashboard");
|
||||
}
|
||||
|
||||
$user = $this->userService->getLoggedInUser();
|
||||
|
||||
if ($video->getUploader() != $user) {
|
||||
throw new AccessDeniedHttpException();
|
||||
}
|
||||
|
||||
$videoLink = new VideoLink();
|
||||
$videoLink->setVideo($video);
|
||||
$form = $this->createForm(VideoLinkType::class, $videoLink);
|
||||
|
@ -271,7 +277,6 @@ class DashboardController extends AbstractController
|
|||
if ($form->isSubmitted() && $form->isValid()) {
|
||||
$videoLink = $form->getData();
|
||||
|
||||
$user = $this->userService->getLoggedInUser();
|
||||
$videoLink->setCreator($user);
|
||||
|
||||
$videoLink->setCreated();
|
||||
|
@ -347,6 +352,11 @@ class DashboardController extends AbstractController
|
|||
return $this->redirectToRoute("app_dashboard");
|
||||
}
|
||||
|
||||
$user = $this->userService->getLoggedInUser();
|
||||
if ($videoLink->getCreator() != $user) {
|
||||
throw new AccessDeniedHttpException();
|
||||
}
|
||||
|
||||
$form = $this->createForm(VideoLinkType::class, $videoLink);
|
||||
|
||||
$form->handleRequest($request);
|
||||
|
|
Loading…
Reference in a new issue