Improved the security of the new drag and drop features of the projects and contexts lists by checking that the logged in user owns those items.

Also changed references to Form.focus_first which were defined in the removed file prototype-ex.js to Form.focusFirstElement, which is defined in prototype.js. Fixes #133. git-svn-id: http://www.rousette.org.uk/svn/tracks-repos/trunk@149 a4c988fc-2ded-0310-b66e-134b36920a42
2026-01-23 17:26:11 +01:00 · 2005-10-10 21:14:34 +00:00 · 2005-10-10 21:14:34 +00:00 · 5e4f0f9fe8
commit 5e4f0f9fe8
parent 5ce97df3f4
7 changed files with 38 additions and 24 deletions
--- a/tracks/app/controllers/context_controller.rb
+++ b/tracks/app/controllers/context_controller.rb
@ -76,9 +76,10 @@ class ContextController < ApplicationController
  #
  def order
    @params["list-contexts"].each_with_index do |id, position|
-      Context.update(id, :position => position + 1)
+      if check_user_matches_context_user(id)
+        Context.update(id, :position => position + 1)
+      end
    end
-    render_text ""
  end
  
  protected
@ -101,7 +102,18 @@ class ContextController < ApplicationController
      end
    end

-
+    def check_user_matches_context_user(id)
+       @user = @session['user']
+       @context = Context.find_by_id_and_user_id(id, @user.id)
+       if @user == @context.user
+         return @context
+       else
+         @context = nil
+         flash["warning"] = "Project and session user mis-match: #{@context.user_id} and #{@session['user'].id}!"
+         render_text ""
+       end
+    end
+     
    def init
      @user = @session['user']
      @projects = @user.projects.collect { |x| x.done? ? nil:x }.compact