Fixes the vulnerability associated with the ability to control the tasks of another user

Ostap34PHP · Ostap34PHP · commit 6673f36d7f7f · 2018-02-18T15:03:29.000+02:00
diff --git a/app/Http/Controllers/TaskController.php b/app/Http/Controllers/TaskController.php
@@ -61,7 +61,9 @@ public function store(Request $request)
      */
     public function show(Task $task)
     {
-        return view('tasks.show')->with('task', $task);
+        if($task->user_id == Auth::id()){
+            return view('tasks.show')->with('task', $task);
+        }
     }
 
     /**
@@ -72,7 +74,9 @@ public function show(Task $task)
      */
     public function edit(Task $task)
     {
-        return view('tasks.edit')->with('task', $task);
+        if($task->user_id == Auth::id()){
+            return view('tasks.edit')->with('task', $task);
+        }
     }
 
     /**
@@ -85,15 +89,17 @@ public function edit(Task $task)
     public function update($id, Request $request)
     {    
         $task = new Task;
-        $data = $this->validate(request(), [
-          'name'        => 'required|max:150;',
-          'description' => ''
-        ]);
+        if($task->user_id == Auth::id()){
+            $data = $this->validate(request(), [
+            'name'        => 'required|max:150;',
+            'description' => ''
+            ]);
 
-        $data['id'] = $id;
-        $task->updateTask($data);
-    
-        return back()->with('success', 'task has been updated');
+            $data['id'] = $id;
+        
+            $task->updateTask($data);
+            return back()->with('success', 'task has been updated');
+        }        
     }
 
     /**
@@ -105,9 +111,11 @@ public function update($id, Request $request)
     public function destroy($id)
     {
         $task = Task::find($id);
-        $task->delete();
+        if($task->user_id == Auth::id()){
+            $task->delete();
 
-        return redirect('/tasks')->with('success', 'Task has been deleted!!');
+            return redirect('/tasks')->with('success', 'Task has been deleted!!');
+        }
     }
         
     /**
@@ -119,13 +127,15 @@ public function destroy($id)
     public function complete($id)
     {
         $task = Task::find($id);
-        if(!$task->complete){
-            $task->complete = true;
-        }else{
-            $task->complete = false;            
-        }
-        $task->save();
+        if($task->user_id == Auth::id()){
+            if(!$task->complete){
+                $task->complete = true;
+            }else{
+                $task->complete = false;            
+            }
+            $task->save();
 
-        return redirect('/tasks')->with('success', 'Task has been completed!');
+            return redirect('/tasks')->with('success', 'Task has been completed!');
+        }
     }
 }
