fix: added missing check on user to request removal

thorsten · Jan 12, 2024 · 1348dce · 1348dce
1 parent d9f4974
commit 1348dce
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 1 deletion.
diff --git a/phpmyfaq/api.service.php b/phpmyfaq/api.service.php
@@ -978,6 +978,7 @@
             break;
         }
 
+        $userId = Filter::filterVar($postData['userId'], FILTER_VALIDATE_INT);
         $author = trim((string) Filter::filterVar($postData['name'], FILTER_SANITIZE_SPECIAL_CHARS));
         $loginName = trim((string) Filter::filterVar($postData['loginname'], FILTER_SANITIZE_SPECIAL_CHARS));
         $email = trim((string) Filter::filterVar($postData['email'], FILTER_VALIDATE_EMAIL));
@@ -988,6 +989,19 @@
             $email = $faqConfig->getAdminEmail();
         }
 
+        // Validate User ID, Username and email
+        $user = new User($faqConfig);
+        if (
+            !$user->getUserById($userId) ||
+            $userId !== $user->getUserId() ||
+            $loginName !== $user->getLogin() ||
+            $email !== $user->getUserData('email')
+        ) {
+            $response->setStatusCode(Response::HTTP_BAD_REQUEST);
+            $response->setData(['error' => Translation::get('ad_user_error_loginInvalid')]);
+            break;
+        }
+
         if (!empty($author) && !empty($email) && !empty($question) && $stopWords->checkBannedWord($question)) {
             $question = sprintf(
                 "%s %s\n%s %s\n%s %s\n\n %s",

diff --git a/phpmyfaq/assets/themes/default/templates/request-removal.html b/phpmyfaq/assets/themes/default/templates/request-removal.html
@@ -18,7 +18,8 @@ <h1>{{ pageHeader }}</h1>
   </div>
 
   <form id="formValues" action="#" method="post" class="needs-validation" novalidate>
-    <input type="hidden" name="lang" id="lang" value="{{ lang }}" />
+    <input type="hidden" name="lang" id="lang" value="{{ lang }}">
+    <input type="hidden" name="userId" id="userId" value="{{ userId }}">
     {{ csrf }}
 
     <div class="row mb-2">

diff --git a/phpmyfaq/request-removal.php b/phpmyfaq/request-removal.php
@@ -47,6 +47,7 @@
         'ad_user_loginname' => Translation::get('ad_user_loginname'),
         'csrf' => Token::getInstance()->getTokenInput('request-removal'),
         'lang' => $Language->getLanguage(),
+        'userId' => $user->getUserId(),
         'defaultContentMail' => ($user->getUserId() > 0) ? $user->getUserData('email') : '',
         'defaultContentName' =>
             ($user->getUserId() > 0) ? Strings::htmlentities($user->getUserData('display_name')) : '',