Session: Ensure session ID exists in subscribeUsersToSession() and unsubscribe_user_from_session() - refs BT#20460

ywarnier · ywarnier · commit f276e71f4e64 · 2023-09-19T10:59:12.000+02:00
diff --git a/main/inc/lib/sessionmanager.lib.php b/main/inc/lib/sessionmanager.lib.php
@@ -2011,6 +2011,10 @@ public static function subscribeUsersToSession(
         $tbl_session_rel_user = Database::get_main_table(TABLE_MAIN_SESSION_USER);
         $tbl_session = Database::get_main_table(TABLE_MAIN_SESSION);
 
+        if (!self::isValidId($sessionId)) {
+            return false;
+        }
+
         $session = api_get_session_entity($sessionId);
 
         // from function parameter
@@ -2460,6 +2464,10 @@ public static function unsubscribe_user_from_session($session_id, $user_id)
         $tbl_session_rel_user = Database::get_main_table(TABLE_MAIN_SESSION_USER);
         $tbl_session = Database::get_main_table(TABLE_MAIN_SESSION);
 
+        if (!self::isValidId($session_id)) {
+            return false;
+        }
+
         $sql = "DELETE FROM $tbl_session_rel_user
                 WHERE
                     session_id = $session_id AND
