ulysia/szurubooru
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Permalink security fix

Browse source
This commit is contained in:
Marcin Kurczewski 2013-10-13 13:38:24 +02:00
parent e33ec7abe7
commit 7c62293b76
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
src/Controllers/PostController.php
View file

@ -8,9 +8,9 @@ class PostController
$callback();
}
private static function locatePost($key)
private static function locatePost($key, $disallowNumeric = false)
{
if (is_numeric($key))
if (is_numeric($key) and !$disallowNumeric)
{
$post = R::findOne('post', 'id = ?', [$key]);
if (!$post)
@ -720,7 +720,7 @@ class PostController
public function retrieveAction($name)
{
$this->context->layoutName = 'layout-file';
$post = self::locatePost($name);
$post = self::locatePost($name, true);
R::preload($post, ['tag']);
PrivilegesHelper::confirmWithException($this->context->user, Privilege::RetrievePost);