From a1bcb5b6cfb57ba346f373c9511c15bfb9883e4d Mon Sep 17 00:00:00 2001 From: Andy Heathershaw Date: Sun, 16 Apr 2017 09:50:40 +0100 Subject: [PATCH] #3: Fixed a security issue where a user could move photos into an album they aren't allowed to upload photos into. Fixed the Select All|Select None links in the permissions drop-down --- .../views/themes/base/admin/create_album.blade.php | 2 +- .../views/themes/base/admin/show_album.blade.php | 14 ++++++++------ 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/resources/views/themes/base/admin/create_album.blade.php b/resources/views/themes/base/admin/create_album.blade.php index 718b0e1..e58be58 100644 --- a/resources/views/themes/base/admin/create_album.blade.php +++ b/resources/views/themes/base/admin/create_album.blade.php @@ -32,7 +32,7 @@
- +
diff --git a/resources/views/themes/base/admin/show_album.blade.php b/resources/views/themes/base/admin/show_album.blade.php index 561b959..1a98a45 100644 --- a/resources/views/themes/base/admin/show_album.blade.php +++ b/resources/views/themes/base/admin/show_album.blade.php @@ -88,10 +88,12 @@ // Populate the list of albums in the view model @foreach ($albums as $album) - editViewModel.data.albums.push({ - 'id': '{{ $album->id }}', - 'name': '{!! addslashes($album->name) !!}' - }); + @if(Gate::check('edit', $album) && Gate::check('upload-photos', $album)) + editViewModel.data.albums.push({ + 'id': '{{ $album->id }}', + 'name': '{!! addslashes($album->name) !!}' + }); + @endif @endforeach $(document).ready(function() { @@ -124,11 +126,11 @@ {{-- Select All/None links on the permissions tab --}} $('a.select-all').click(function() { - $('input:checkbox', $(this).closest('.panel-body')).prop('checked', true); + $('input:checkbox', $(this).closest('.card-block')).prop('checked', true); return false; }); $('a.select-none').click(function() { - $('input:checkbox', $(this).closest('.panel-body')).prop('checked', false); + $('input:checkbox', $(this).closest('.card-block')).prop('checked', false); return false; });