sigmasternchen/MyTube
1
0
Fork 0
mirror of https://github.com/sigmasternchen/MyTube synced 2025-03-15 21:08:55 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fixes security issues in dashboar controller

Browse source
This commit is contained in:
overflowerror 2021-01-17 22:55:43 +01:00
parent bf6b1ed3f6
commit 0471d4fd95
1 changed files with 11 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
src/Controller/DashboardController.php
View file

@ -263,6 +263,12 @@ class DashboardController extends AbstractController
return $this->redirectToRoute("app_dashboard"); return $this->redirectToRoute("app_dashboard");
} }
$user = $this->userService->getLoggedInUser();
if ($video->getUploader() != $user) {
throw new AccessDeniedHttpException();
}
$videoLink = new VideoLink(); $videoLink = new VideoLink();
$videoLink->setVideo($video); $videoLink->setVideo($video);
$form = $this->createForm(VideoLinkType::class, $videoLink); $form = $this->createForm(VideoLinkType::class, $videoLink);
@ -271,7 +277,6 @@ class DashboardController extends AbstractController
if ($form->isSubmitted() && $form->isValid()) { if ($form->isSubmitted() && $form->isValid()) {
$videoLink = $form->getData(); $videoLink = $form->getData();
$user = $this->userService->getLoggedInUser();
$videoLink->setCreator($user); $videoLink->setCreator($user);
$videoLink->setCreated(); $videoLink->setCreated();
@ -347,6 +352,11 @@ class DashboardController extends AbstractController
return $this->redirectToRoute("app_dashboard"); return $this->redirectToRoute("app_dashboard");
} }
$user = $this->userService->getLoggedInUser();
if ($videoLink->getCreator() != $user) {
throw new AccessDeniedHttpException();
}
$form = $this->createForm(VideoLinkType::class, $videoLink); $form = $this->createForm(VideoLinkType::class, $videoLink);
$form->handleRequest($request); $form->handleRequest($request);