From 9d41ecb228ee06e6c17f1131e7fff75952dfb224 Mon Sep 17 00:00:00 2001
From: Korina Cordero <cordero.korina@gmail.com>
Date: Mon, 22 Jun 2020 11:39:58 +0000
Subject: [PATCH] Add fix for security checking for verifyJobOrder. #424

---
 .../RiderAPIHandler/CMBRiderAPIHandler.php    | 77 +++++++++++++++++--
 1 file changed, 72 insertions(+), 5 deletions(-)

diff --git a/src/Service/RiderAPIHandler/CMBRiderAPIHandler.php b/src/Service/RiderAPIHandler/CMBRiderAPIHandler.php
index f884a7ac..a9929c16 100644
--- a/src/Service/RiderAPIHandler/CMBRiderAPIHandler.php
+++ b/src/Service/RiderAPIHandler/CMBRiderAPIHandler.php
@@ -2080,16 +2080,27 @@ class CMBRiderAPIHandler implements RiderAPIHandlerInterface
         $required_params = [
             'jo_id'
         ];
-        $data = $this->checkJO($req, $required_params, $jo);
+        $data = $this->checkJOForVerify($req, $required_params, $jo);
         if (isset($data['error']))
         {
-            $data = [
-               'assigned' => false,
-               'available' => false,
-            ];
+            $data['title'] = 'Failed Verify Job Order';
             return $data;
         }
 
+        $rider = $this->session->getRider();
+        // check if rider is assigned to JO
+        if ($jo->getRider() != null)
+        {
+            if ($rider->getID() != $jo->getRider()->getID())
+            {
+                $data = [
+                    'assigned' => false,
+                    'available' => false,
+                ];
+                return $data;
+            }
+        }
+
         // check if JO status is not fulfilled and not cancelled
         if (($jo->getStatus() == JOStatus::FULFILLED) ||
             ($jo->getStatus() == JOStatus::CANCELLED))
@@ -2287,6 +2298,62 @@ class CMBRiderAPIHandler implements RiderAPIHandlerInterface
         return $data;
     }
 
+    protected function checkJOForVerify(Request $req, $required_params, &$jo = null)
+    {
+        // set jo status to in transit
+        $data = $this->checkParamsAndKey($req, $required_params);
+        if (isset($data['error']))
+            return $data;
+
+        // are we logged in?
+        if (!$this->session->hasRider())
+        {
+            $data = [
+                'error' => 'No logged in rider.'
+            ];
+            return $data;
+        }
+
+        $rider = $this->session->getRider();
+
+        // get jo
+        $jo_id = '';
+        if ($req->getMethod() == 'GET')
+            $jo_id = $req->query->get('jo_id');
+        else
+            $jo_id = $req->request->get('jo_id');
+
+        $jo = $this->em->getRepository(JobOrder::class)->find($jo_id);
+        if ($jo == null)
+        {
+            $data = [
+                'error' => 'No job order found.'
+            ];
+            return $data;
+
+        }
+
+        // check if rider assigned to jo is our rider
+        if ($jo->getRider() == null)
+        {
+            $data = [
+                'error' => 'Job order selected has no rider assigned.'
+            ];
+            return $data;
+        }
+
+        /*
+        // check if rider is assigned to JO
+        if ($rider->getID() != $jo->getRider()->getID())
+        {
+            $data = [
+                'error' => 'Job order selected is not assigned to rider'
+            ];
+            return $data;
+        } */
+
+        return $data;
+    }
 
     protected function debugRequest(Request $req)
     {