From c2bbe364b82978b05a6801dc8a559dc6e95e57d1 Mon Sep 17 00:00:00 2001
From: Nathan Cheval <nathan.cheval@outlook.fr>
Date: Tue, 18 Dec 2018 18:02:57 +0100
Subject: [PATCH] Add perimeter check for doc

---
 .../controllers/ReconciliationController.php        | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/app/attachment/controllers/ReconciliationController.php b/src/app/attachment/controllers/ReconciliationController.php
index aade21fa819..b2d103e2af0 100755
--- a/src/app/attachment/controllers/ReconciliationController.php
+++ b/src/app/attachment/controllers/ReconciliationController.php
@@ -6,6 +6,7 @@ use Slim\Http\Request;
 use Slim\Http\Response;
 use Attachment\models\AttachmentModel;
 use Resource\models\ResModel;
+use Resource\controllers\ResController;
 use Respect\Validation\Validator;
 use History\controllers\HistoryController;
 use Resource\controllers\StoreController;
@@ -23,6 +24,10 @@ class ReconciliationController
             return $response->withStatus(400)->withJson(['errors' => 'Bad Request']);
         }
 
+        if (!Validator::intVal()->validate($data['resId']) || !ResController::hasRightByResId(['resId' => $data['resId'], 'userId' => $GLOBALS['userId']])) {
+            return $response->withStatus(403)->withJson(['errors' => 'Document out of perimeter']);
+        }
+
         $resId = ReconciliationController::getWs($data);
 
         if (empty($resId) || !empty($resId['errors'])) {
@@ -164,19 +169,23 @@ class ReconciliationController
 
     public function checkAttachment(Request $request, Response $response)
     {
-        $data  = $request->getParams();
+        $data = $request->getQueryParams();
         $check = Validator::stringType()->notEmpty()->validate($data['chrono']);
         if (!$check) {
             return $response->withStatus(400)->withJson(['errors' => 'Bad Request']);
         }
 
         $attachment = AttachmentModel::getOnView([
-            'select'  => [1],
+            'select'  => ['res_id_master'],
             'where'   => ['identifier = ?', "status IN ('A_TRA', 'NEW','TMP')"],
             'data'    => [$data['chrono']],
             'orderBy' => ['res_id DESC']
         ])[0];
 
+        if (!Validator::intVal()->validate($attachment['res_id_master']) || !ResController::hasRightByResId(['resId' => $attachment['res_id_master'], 'userId' => $GLOBALS['userId']])) {
+            return $response->withStatus(403)->withJson(['errors' => 'Document out of perimeter']);
+        }
+
         if ($attachment == false) {
             return $response->withStatus(500)->withJson(['errors' => '[ReconciliationController checkAttachment] ' . _NO_ATTACHMENT_CHRONO]);
         }else{
-- 
GitLab