fix: prevent link share IDOR by validating project_id in Delete and ReadOne

This commit is contained in:
kolaente 2026-03-23 16:11:42 +01:00 committed by kolaente
parent b8edc8f17f
commit 654d2c7042
1 changed files with 6 additions and 2 deletions

View File

@ -200,7 +200,11 @@ func (share *LinkSharing) Create(s *xorm.Session, a web.Auth) (err error) {
// @Failure 500 {object} models.Message "Internal error"
// @Router /projects/{project}/shares/{share} [get]
func (share *LinkSharing) ReadOne(s *xorm.Session, _ web.Auth) (err error) {
exists, err := s.Where("id = ?", share.ID).Get(share)
query := s.Where("id = ?", share.ID)
if share.ProjectID != 0 {
query = query.And("project_id = ?", share.ProjectID)
}
exists, err := query.Get(share)
if err != nil {
return err
}
@ -302,7 +306,7 @@ func (share *LinkSharing) ReadAll(s *xorm.Session, a web.Auth, search string, pa
// @Failure 500 {object} models.Message "Internal error"
// @Router /projects/{project}/shares/{share} [delete]
func (share *LinkSharing) Delete(s *xorm.Session, _ web.Auth) (err error) {
_, err = s.Where("id = ?", share.ID).Delete(share)
_, err = s.Where("id = ? AND project_id = ?", share.ID, share.ProjectID).Delete(share)
return
}