#3: Fixed a security issue where a user could move photos into an album they aren't allowed to upload photos into. Fixed the Select All|Select None links in the permissions drop-down

This commit is contained in:
Andy Heathershaw 2017-04-16 09:50:40 +01:00
parent 2d8ba9da16
commit a1bcb5b6cf
2 changed files with 9 additions and 7 deletions

View File

@ -32,7 +32,7 @@
<div class="form-group"> <div class="form-group">
<label class="form-control-label" for="album-description">@lang('forms.description_label')</label> <label class="form-control-label" for="album-description">@lang('forms.description_label')</label>
<textarea class="form-control" id="album-description" name="description">{{ old('description') }}</textarea> <textarea class="form-control" id="album-description" name="description" rows="5">{{ old('description') }}</textarea>
</div> </div>
<div class="form-group"> <div class="form-group">

View File

@ -88,10 +88,12 @@
// Populate the list of albums in the view model // Populate the list of albums in the view model
@foreach ($albums as $album) @foreach ($albums as $album)
@if(Gate::check('edit', $album) && Gate::check('upload-photos', $album))
editViewModel.data.albums.push({ editViewModel.data.albums.push({
'id': '{{ $album->id }}', 'id': '{{ $album->id }}',
'name': '{!! addslashes($album->name) !!}' 'name': '{!! addslashes($album->name) !!}'
}); });
@endif
@endforeach @endforeach
$(document).ready(function() { $(document).ready(function() {
@ -124,11 +126,11 @@
{{-- Select All/None links on the permissions tab --}} {{-- Select All/None links on the permissions tab --}}
$('a.select-all').click(function() { $('a.select-all').click(function() {
$('input:checkbox', $(this).closest('.panel-body')).prop('checked', true); $('input:checkbox', $(this).closest('.card-block')).prop('checked', true);
return false; return false;
}); });
$('a.select-none').click(function() { $('a.select-none').click(function() {
$('input:checkbox', $(this).closest('.panel-body')).prop('checked', false); $('input:checkbox', $(this).closest('.card-block')).prop('checked', false);
return false; return false;
}); });