Add explicit check for PermissionSet and ProfileField

2021-10-07 20:48:39 +02:00 · 2021-10-07 20:48:39 +02:00 · f73e4adc44
parent 03164d00e8
commit f73e4adc44
3 changed files with 15 additions and 24 deletions
--- a/src/Model/ProfileField.php
+++ b/src/Model/ProfileField.php
@ -23,6 +23,7 @@ namespace Friendica\Model;

 use Friendica\BaseModel;
 use Friendica\Database\Database;
+use Friendica\Network\HTTPException\NotFoundException;
 use Friendica\Security\PermissionSet\Depository\PermissionSet as PermissionSetDepository;
 use Friendica\Security\PermissionSet\Entity\PermissionSet;
 use Psr\Log\LoggerInterface;
@ -40,12 +41,12 @@ use Psr\Log\LoggerInterface;
 * @property string value
 * @property string created
 * @property string edited
- * @property PermissionSet permissionset
+ * @property PermissionSet permissionSet
 */
 class ProfileField extends BaseModel
 {
 	/** @var PermissionSet */
-	private $permissionset;
+	private $permissionSet;

 	/** @var PermissionSetDepository */
 	private $permissionSetDepository;
@ -62,10 +63,17 @@ class ProfileField extends BaseModel
 		$this->checkValid();

 		switch ($name) {
-			case 'permissionset':
-				$this->permissionset = $this->permissionset ?? $this->permissionSetDepository->selectOneForUser($this->uid, $this->psid);
+			case 'permissionSet':
+				if (empty($this->permissionSet)) {
+					$permissionSet = $this->permissionSetDepository->selectOneById($this->psid);
+					if ($permissionSet->uid !== $this->uid) {
+						throw new NotFoundException(sprintf('PermissionSet %d for ProfileSet %d is invalid.', $permissionSet->uid, $this->uid));
+					}

-				$return = $this->permissionset;
+					$this->permissionSet = $permissionSet;
+				}
+
+				$return = $this->permissionSet;
 				break;
 			default:
 				$return = parent::__get($name);
--- a/src/Module/Settings/Profile/Index.php
+++ b/src/Module/Settings/Profile/Index.php
@ -162,8 +162,8 @@ class Index extends BaseSettings
 		$profileFields = DI::profileField()->selectByUserId(local_user());
 		foreach ($profileFields as $profileField) {
 			/** @var ProfileField $profileField */
-			$defaultPermissions = $profileField->permissionset->withAllowedContacts(
-				Contact::pruneUnavailable($profileField->permissionset->allow_cid)
+			$defaultPermissions = $profileField->permissionSet->withAllowedContacts(
+				Contact::pruneUnavailable($profileField->permissionSet->allow_cid)
 			);

 			$custom_fields[] = [
--- a/src/Security/PermissionSet/Depository/PermissionSet.php
+++ b/src/Security/PermissionSet/Depository/PermissionSet.php
@ -177,23 +177,6 @@ class PermissionSet extends BaseDepository
 		return $this->selectOrCreate($this->factory->createFromString($uid));
 	}

-	/**
-	 * Fetch one PermissionSet with check for ownership
-	 *
-	 * @param int $uid The user id
-	 * @param int $id  The unique id of the PermissionSet
-	 *
-	 * @return Entity\PermissionSet
-	 * @throws NotFoundException in case either the id is invalid or the PermissionSet does not relay to the given user
-	 */
-	public function selectOneForUser(int $uid, int $id): Entity\PermissionSet
-	{
-		return $this->selectOne([
-			'id'  => $id,
-			'uid' => $uid,
-		]);
-	}
-
 	/**
 	 * Selects or creates a PermissionSet based on it's fields
 	 *