Unauthorized access to sent emails and messages #1284

Admidio · Jun 13, 2022 · 64c3040 · 64c3040
1 parent 97674a5
commit 64c3040
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 11 deletions.
diff --git a/adm_program/modules/messages/messages_write.php b/adm_program/modules/messages/messages_write.php
@@ -69,6 +69,12 @@
 
 // Update the read status of the message
 if ($getMsgUuid !== '') {
+    // check if user is allowed to view message
+    if(!in_array($gCurrentUserId, array($message->getValue('msg_usr_id_sender'), $message->getConversationPartner()))) {
+        $gMessage->show($gL10n->get('SYS_INVALID_PAGE_VIEW'));
+        // => EXIT
+    }
+
     // update the read-status
     $message->setReadValue();
 
@@ -79,7 +85,11 @@
     }
 
     $getSubject = $message->getValue('msg_subject', 'database');
-    $user = new User($gDb, $gProfileFields, $message->getConversationPartner());
+    if($gCurrentUserId !== $message->getValue('msg_usr_id_sender')) {
+        $user = new User($gDb, $gProfileFields, $message->getValue('msg_usr_id_sender'));
+    } else {
+        $user = new User($gDb, $gProfileFields, $message->getConversationPartner());
+    }
     $getUserUuid = $user->getValue('usr_uuid');
 } elseif ($getUserUuid !== '') {
     $user = new User($gDb, $gProfileFields);

diff --git a/adm_program/system/classes/TableMessage.php b/adm_program/system/classes/TableMessage.php
@@ -312,12 +312,10 @@ public function getConversation($msgId)
 
     /**
      * If the message type is PM this method will return the conversation partner of the PM.
-     * @param int $usrId
-     * @return int Returns **ID** of the user that is partner in the actual conversation or false if its not a message.
+     * @return int Returns **ID** of the user that is partner in the actual conversation or false if it's not a message.
      */
     public function getConversationPartner()
     {
-        global $gLogger;
         if ($this->getValue('msg_type') === self::MESSAGE_TYPE_PM) {
             $recipients = $this->readRecipientsData();
             return $recipients[0]['id'];
@@ -364,7 +362,7 @@ public function getRecipientsNamesString($showFullUserNames = true)
                 }
             }
 
-            // if full user names should not be shown than create a text with the number of individual recipients
+            // if full usernames should not be shown than create a text with the number of individual recipients
             if (!$showFullUserNames && $singleRecipientsCount > 0) {
                 if ($singleRecipientsCount === 1) {
                     $textIndividualRecipients = $gL10n->get('SYS_COUNT_INDIVIDUAL_RECIPIENT', array($singleRecipientsCount));
@@ -438,12 +436,6 @@ public function readRecipientsData()
                 if ($row['msr_usr_id'] > 0) {
                     $recipientUsrId = (int) $row['msr_usr_id'];
 
-                    // PMs could have the current user as recipient than the sender is the recipient for this user
-                    if ($this->getValue('msg_type') === self::MESSAGE_TYPE_PM
-                    && $recipientUsrId == $GLOBALS['gCurrentUserId']) {
-                        $recipientUsrId = (int) $row['msg_usr_id_sender'];
-                    }
-
                     // add role to recipients
                     $this->msgRecipientsArray[] =
                         array('type'   => 'user',