From 91e7286fa19464fb50e43ce1f79834ad65c249dc Mon Sep 17 00:00:00 2001 From: larssandergreen Date: Tue, 9 May 2023 15:33:34 -0600 Subject: [PATCH] Prevent unauthorized self-service participant update via URL --- CRM/Event/Form/SelfSvcTransfer.php | 2 +- CRM/Event/Form/SelfSvcUpdate.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CRM/Event/Form/SelfSvcTransfer.php b/CRM/Event/Form/SelfSvcTransfer.php index 4f22bfe0ea..9da0938089 100644 --- a/CRM/Event/Form/SelfSvcTransfer.php +++ b/CRM/Event/Form/SelfSvcTransfer.php @@ -137,7 +137,7 @@ class CRM_Event_Form_SelfSvcTransfer extends CRM_Core_Form { $this->_userContext = $session->readUserContext(); $this->_from_participant_id = CRM_Utils_Request::retrieve('pid', 'Positive', $this, FALSE, NULL, 'REQUEST'); $this->_userChecksum = CRM_Utils_Request::retrieve('cs', 'String', $this, FALSE, NULL, 'REQUEST'); - $this->isBackoffice = CRM_Utils_Request::retrieve('is_backoffice', 'String', $this, FALSE, NULL, 'REQUEST') ?? FALSE; + $this->isBackoffice = (CRM_Utils_Request::retrieve('is_backoffice', 'String', $this, FALSE, FALSE, 'REQUEST') && CRM_Core_Permission::check('edit event participants')) ?? FALSE; $params = ['id' => $this->_from_participant_id]; $participant = $values = []; $this->_participant = CRM_Event_BAO_Participant::getValues($params, $values, $participant); diff --git a/CRM/Event/Form/SelfSvcUpdate.php b/CRM/Event/Form/SelfSvcUpdate.php index ed1055eb49..df6f91d5c3 100644 --- a/CRM/Event/Form/SelfSvcUpdate.php +++ b/CRM/Event/Form/SelfSvcUpdate.php @@ -110,7 +110,7 @@ class CRM_Event_Form_SelfSvcUpdate extends CRM_Core_Form { $participant = $values = []; $this->_participant_id = CRM_Utils_Request::retrieve('pid', 'Positive', $this, FALSE, NULL, 'REQUEST'); $this->_userChecksum = CRM_Utils_Request::retrieve('cs', 'String', $this, FALSE, NULL, 'REQUEST'); - $this->isBackoffice = CRM_Utils_Request::retrieve('is_backoffice', 'String', $this, FALSE, FALSE, 'REQUEST') ?? FALSE; + $this->isBackoffice = (CRM_Utils_Request::retrieve('is_backoffice', 'String', $this, FALSE, FALSE, 'REQUEST') && CRM_Core_Permission::check('edit event participants')) ?? FALSE; $params = ['id' => $this->_participant_id]; $this->_participant = CRM_Event_BAO_Participant::getValues($params, $values, $participant); $this->_part_values = $values[$this->_participant_id]; -- 2.25.1