From 25feb31c1a8092af614c1dc169a01e4f8fb0a7b9 Mon Sep 17 00:00:00 2001 From: Aaron van Geffen Date: Thu, 18 Jan 2024 13:40:17 +0100 Subject: [PATCH] EditAsset: some hardening; deduplicate redirect code --- controllers/EditAsset.php | 52 ++++++++++++++++++++++----------------- 1 file changed, 29 insertions(+), 23 deletions(-) diff --git a/controllers/EditAsset.php b/controllers/EditAsset.php index 19cf70b8..d5582d17 100644 --- a/controllers/EditAsset.php +++ b/controllers/EditAsset.php @@ -30,33 +30,39 @@ class EditAsset extends HTMLController header('Location: ' . $redirectUrl); exit; } - else if ((isset($_REQUEST['inc_prio']) || isset($_REQUEST['dec_prio'])) && Session::validateSession('get')) + else { - if (isset($_REQUEST['inc_prio'])) - $priority = $asset->priority + 1; - else - $priority = $asset->priority - 1; + $isPrioChange = isset($_REQUEST['inc_prio']) || isset($_REQUEST['dec_prio']); + $isCoverChange = isset($_REQUEST['album_cover'], $_REQUEST['in']); + $madeChanges = false; - $asset->priority = max(0, min(100, $priority)); - $asset->save(); + if ($user->isAdmin() && $isPrioChange && Session::validateSession('get')) + { + if (isset($_REQUEST['inc_prio'])) + $priority = $asset->priority + 1; + else + $priority = $asset->priority - 1; - if (isset($_SERVER['HTTP_REFERER'])) - header('Location: ' . $_SERVER['HTTP_REFERER']); - else - header('Location: ' . BASEURL . '/' . $asset->getSubdir()); - exit; - } - else if (isset($_REQUEST['album_cover'], $_REQUEST['in']) && Session::validateSession('get')) - { - $tag = Tag::fromId($_REQUEST['in']); - $tag->id_asset_thumb = $asset->getId(); - $tag->save(); + $asset->priority = max(0, min(100, $priority)); + $asset->save(); + $madeChanges = true; + } + elseif ($user->isAdmin() && $isCoverChange && Session::validateSession('get')) + { + $tag = Tag::fromId($_REQUEST['in']); + $tag->id_asset_thumb = $asset->getId(); + $tag->save(); + $madeChanges = true; + } - if (isset($_SERVER['HTTP_REFERER'])) - header('Location: ' . $_SERVER['HTTP_REFERER']); - else - header('Location: ' . BASEURL . '/' . $asset->getSubdir()); - exit; + if ($madeChanges) + { + if (isset($_SERVER['HTTP_REFERER'])) + header('Location: ' . $_SERVER['HTTP_REFERER']); + else + header('Location: ' . BASEURL . '/' . $asset->getSubdir()); + exit; + } } // Get a list of available photo albums