Diplomarbeit-Absolventenverein/oqtane.framework
10
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

prevent notifications from being accessed by other users

Browse Source
This commit is contained in:
sbwalker
2024-11-26 14:30:41 -05:00
parent f71a3a1ce3
commit ffea9e3210
5 changed files with 12 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Oqtane.Server/Controllers/NotificationController.cs
View File

@ -183,7 +183,7 @@ namespace Oqtane.Controllers
{
if (ModelState.IsValid && notification.SiteId == _alias.SiteId && notification.NotificationId == id && _notifications.GetNotification(notification.NotificationId, false) != null && (IsAuthorized(notification.FromUserId) || IsAuthorized(notification.ToUserId)))
{
if (!User.IsInRole(RoleNames.Admin))
if (!User.IsInRole(RoleNames.Admin) && notification.FromUserId != null)
{
// content must be HTML encoded for non-admins to prevent HTML injection
notification.Subject = WebUtility.HtmlEncode(notification.Subject);
@ -223,7 +223,7 @@ namespace Oqtane.Controllers
private bool IsAuthorized(int? userid)
{
bool authorized = true;
bool authorized = false;
if (userid != null)
{
authorized = (_userPermissions.GetUser(User).UserId == userid);