From cd4f4d97f526d7df8d3a1af806d37eaa720145f5 Mon Sep 17 00:00:00 2001 From: Victor Dubiniuk Date: Thu, 10 Apr 2014 20:14:45 +0300 Subject: [PATCH] Check token by member type, not by file --- ajax/sessionController.php | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/ajax/sessionController.php b/ajax/sessionController.php index 9acd3e6e..8cfcd219 100644 --- a/ajax/sessionController.php +++ b/ajax/sessionController.php @@ -70,6 +70,19 @@ class SessionController extends Controller{ } $memberId = @$_SERVER['HTTP_WEBODF_MEMBER_ID']; + $currentMember = new Db_Member(); + $currentMemberData = $currentMember->load($memberId)->getData(); + if (isset($currentMemberData['is_guest']) && $currentMemberData['is_guest']){ + self::preDispatchGuest(); + } else { + self::preDispatch(); + } + + //check if member belongs to the session + if (!isset($currentMemberData['es_id']) || $esId!=$currentMemberData['es_id']){ + throw new \Exception($memberId . ' does not belong to session ' . $esId); + } + $sessionRevision = @$_SERVER['HTTP_WEBODF_SESSION_REVISION']; $stream = fopen('php://input','r'); @@ -87,11 +100,6 @@ class SessionController extends Controller{ $sessionData = $session->getData(); try { $file = new File($sessionData['file_id']); - if (!$file->isPublicShare()){ - self::preDispatch(); - } else { - self::preDispatchGuest(); - } list($view, $path) = $file->getOwnerViewAndPath(); } catch (\Exception $e){ //File was deleted or unshared. We need to save content as new file anyway @@ -111,11 +119,6 @@ class SessionController extends Controller{ }, $members ); - - //check if member belongs to the session - if (!in_array($memberId, $memberIds)){ - throw new \Exception($memberId . ' does not belong to session ' . $esId); - } // Active users except current user $memberCount = count($memberIds) - 1;