Add fix for security checking for verifyJobOrder. #424

2020-06-22 11:39:58 +00:00 · 2020-06-22 11:39:58 +00:00 · 9d41ecb228
commit 9d41ecb228
parent 47eaa6488f
1 changed files with 72 additions and 5 deletions
--- a/src/Service/RiderAPIHandler/CMBRiderAPIHandler.php
+++ b/src/Service/RiderAPIHandler/CMBRiderAPIHandler.php
@ -2080,16 +2080,27 @@ class CMBRiderAPIHandler implements RiderAPIHandlerInterface
        $required_params = [
            'jo_id'
        ];
-        $data = $this->checkJO($req, $required_params, $jo);
+        $data = $this->checkJOForVerify($req, $required_params, $jo);
        if (isset($data['error']))
        {
-            $data = [
-               'assigned' => false,
-               'available' => false,
-            ];
+            $data['title'] = 'Failed Verify Job Order';
            return $data;
        }

+        $rider = $this->session->getRider();
+        // check if rider is assigned to JO
+        if ($jo->getRider() != null)
+        {
+            if ($rider->getID() != $jo->getRider()->getID())
+            {
+                $data = [
+                    'assigned' => false,
+                    'available' => false,
+                ];
+                return $data;
+            }
+        }
+
        // check if JO status is not fulfilled and not cancelled
        if (($jo->getStatus() == JOStatus::FULFILLED) ||
            ($jo->getStatus() == JOStatus::CANCELLED))
@ -2287,6 +2298,62 @@ class CMBRiderAPIHandler implements RiderAPIHandlerInterface
        return $data;
    }

+    protected function checkJOForVerify(Request $req, $required_params, &$jo = null)
+    {
+        // set jo status to in transit
+        $data = $this->checkParamsAndKey($req, $required_params);
+        if (isset($data['error']))
+            return $data;
+
+        // are we logged in?
+        if (!$this->session->hasRider())
+        {
+            $data = [
+                'error' => 'No logged in rider.'
+            ];
+            return $data;
+        }
+
+        $rider = $this->session->getRider();
+
+        // get jo
+        $jo_id = '';
+        if ($req->getMethod() == 'GET')
+            $jo_id = $req->query->get('jo_id');
+        else
+            $jo_id = $req->request->get('jo_id');
+
+        $jo = $this->em->getRepository(JobOrder::class)->find($jo_id);
+        if ($jo == null)
+        {
+            $data = [
+                'error' => 'No job order found.'
+            ];
+            return $data;
+
+        }
+
+        // check if rider assigned to jo is our rider
+        if ($jo->getRider() == null)
+        {
+            $data = [
+                'error' => 'Job order selected has no rider assigned.'
+            ];
+            return $data;
+        }
+
+        /*
+        // check if rider is assigned to JO
+        if ($rider->getID() != $jo->getRider()->getID())
+        {
+            $data = [
+                'error' => 'Job order selected is not assigned to rider'
+            ];
+            return $data;
+        } */
+
+        return $data;
+    }

    protected function debugRequest(Request $req)
    {