From 17f2251884495b3112ddd0004902fd0c6a6be1ad Mon Sep 17 00:00:00 2001
From: "florian.azizian" <florian.azizian@maarch.org>
Date: Mon, 2 Sep 2019 15:24:13 +0100
Subject: [PATCH] FIX #11296 TIME 0:40 parent_id can not be a child of folder
 id

---
 src/app/folder/controllers/FolderController.php | 14 ++++++++++++++
 src/app/folder/models/FolderModelAbstract.php   |  2 +-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/app/folder/controllers/FolderController.php b/src/app/folder/controllers/FolderController.php
index dcc1eda7055..7296cf8f2a5 100755
--- a/src/app/folder/controllers/FolderController.php
+++ b/src/app/folder/controllers/FolderController.php
@@ -192,6 +192,9 @@ class FolderController
         if ($data['parent_id'] == $aArgs['id']) {
             return $response->withStatus(400)->withJson(['errors' => 'Parent_id and id can not be the same']);
         }
+        if (FolderController::isParentFolder(['parent_id' => $data['parent_id'], 'id' => $aArgs['id']])) {
+            return $response->withStatus(400)->withJson(['errors' => 'Id is a parent of parent_id']);
+        }
 
         $folder = FolderController::getScopeFolders(['login' => $GLOBALS['userId'], 'folderId' => $aArgs['id'], 'edition' => true]);
         if (empty($folder[0])) {
@@ -658,4 +661,15 @@ class FolderController
 
         return true;
     }
+
+    private static function isParentFolder(array $args)
+    {
+        $parentInfo = FolderModel::getById(['id' => $args['parent_id'], 'select' => ['folders.id', 'parent_id']]);
+        if (empty($parentInfo) || $parentInfo['id'] == $args['id']) {
+            return true;
+        } elseif (!empty($parentInfo['parent_id'])) {
+            return FolderController::isParentFolder(['parent_id' => $parentInfo['parent_id'], 'id' => $args['id']]);
+        }
+        return false;
+    }
 }
diff --git a/src/app/folder/models/FolderModelAbstract.php b/src/app/folder/models/FolderModelAbstract.php
index f5f3fa19f3a..c0c4f8b1825 100755
--- a/src/app/folder/models/FolderModelAbstract.php
+++ b/src/app/folder/models/FolderModelAbstract.php
@@ -25,7 +25,7 @@ class FolderModelAbstract
             'select'    => empty($aArgs['select']) ? ['*'] : $aArgs['select'],
             'table'     => ['folders', 'entities_folders'],
             'left_join' => ['folders.id = entities_folders.folder_id'],
-            'where'     => ['id = ?'],
+            'where'     => ['folders.id = ?'],
             'data'      => [$aArgs['id']]
         ]);
 
-- 
GitLab