Notebook: Validate that only the author can edit the note

chamilo · Apr 18, 2023 · f9a17bf · f9a17bf
1 parent 80d1a8c
commit f9a17bf
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 3 deletions.
diff --git a/main/inc/lib/notebook.lib.php b/main/inc/lib/notebook.lib.php
@@ -117,6 +117,7 @@ public static function get_note_information($notebook_id)
         $notebook_id = (int) $notebook_id;
 
         $sql = "SELECT
+                user_id,
                 notebook_id 		AS notebook_id,
                 title				AS note_title,
                 description 		AS note_comment,

diff --git a/main/notebook/index.php b/main/notebook/index.php
@@ -35,7 +35,8 @@ function setFocus(){
 // Tracking
 Event::event_access_tool(TOOL_NOTEBOOK);
 
-$action = isset($_GET['action']) ? $_GET['action'] : '';
+$currentUserId = api_get_user_id();
+$action = $_GET['action'] ?? '';
 
 $logInfo = [
     'tool' => TOOL_NOTEBOOK,
@@ -137,6 +138,15 @@ function setFocus(){
         exit;
     }
 
+    // Setting the defaults
+    $defaults = NotebookManager::get_note_information((int) $_GET['notebook_id']);
+
+    if ($currentUserId !== (int) $defaults['user_id']) {
+        echo Display::return_message(get_lang('NotAllowed'), 'error');
+        Display::display_footer();
+        exit();
+    }
+
     // Initialize the object
     $form = new FormValidator(
         'note',
@@ -159,8 +169,6 @@ function setFocus(){
     );
     $form->addButtonUpdate(get_lang('ModifyNote'), 'SubmitNote');
 
-    // Setting the defaults
-    $defaults = NotebookManager::get_note_information(Security::remove_XSS($_GET['notebook_id']));
     $form->setDefaults($defaults);
 
     // Setting the rules