Controller auth / CSRF fixes

2026-05-21 11:59:13 -04:00 · 2009-09-15 22:51:49 -07:00
parent 7ba93e2645
commit 7608870537
5 changed files with 41 additions and 11 deletions
--- a/modules/organize/controllers/organize.php
+++ b/modules/organize/controllers/organize.php
@@ -45,9 +45,13 @@ class Organize_Controller extends Controller {
    access::verify_csrf();

    $target_album = ORM::factory("item", $target_album_id);
+    access::required("view", $target_album);
+    access::required("add", $target_album);
+
    foreach ($this->input->post("source_ids") as $source_id) {
      $source = ORM::factory("item", $source_id);
      if (!$source->contains($target_album)) {
+        access::required("edit", $source);
        item::move($source, $target_album);
      }
    }