Merge pull request Aspen-Discovery#2109 from AlexanderBlanchardAC/24.…

…11.00_IDOR_fix 24.11.00 idor fix
PTFS-Europe · Oct 23, 2024 · 5523f5a · 5523f5a
2 parents 67d77ee + 95a8e04
commit 5523f5a
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/code/web/release_notes/24.11.00.MD b/code/web/release_notes/24.11.00.MD
@@ -61,6 +61,8 @@
 //james - nashville
 
 //alexander - ptfse
+### Other Updates
+- Add check to saveToList function to ensure the user attempting to add a book to the list is authorised to do so. (*AB*)
 
 //chloe - ptfse
 ### Other

diff --git a/code/web/services/MyAccount/AJAX.php b/code/web/services/MyAccount/AJAX.php
@@ -7085,14 +7085,25 @@ function saveToList() {
 				$totalRecords = 0;
 			} else {
 				$userList->id = $listId;
-				$totalRecords = $userList->numValidListItems();
 				if (!$userList->find(true)) {
 					$result['success'] = false;
 					$result['message'] = translate([
 						'text' => 'Sorry, we could not find that list in the system.',
 						'isPublicFacing' => true,
 					]);
 					$listOk = false;
+				} else {
+						//Authorization check: Ensure list belongs to logged in user
+					$currentUser = UserAccount::getActiveUserObj();
+					if (!$currentUser->canEditList($userList)) {
+						$result['success'] = false;
+						$result['message'] =translate([
+							'text' => 'You are not authorized to modify this list.',
+							'isPublicFacing' => true,
+						]);
+						return $result;
+					}
+					$totalRecords = $userList->numValidListItems();
 				}
 			}