Making sure the input properties are validated before ACL check method is invoked (so ACLs are checked on validated inputs).

krulis-martin · krulis-martin · commit 7d9f1059acc5 · 2025-09-30T13:42:14.000+02:00
diff --git a/app/V1Module/presenters/base/BasePresenter.php b/app/V1Module/presenters/base/BasePresenter.php
@@ -127,11 +127,11 @@ public function startup()
             $this->verifyUserIpLock($user);
         }
 
-        // ACL-checking method
-        $this->tryCall($this->formatPermissionCheckMethod($this->getAction()), $this->params);
-
         Validators::init();
         $this->processParams($actionReflection);
+
+        // ACL-checking method
+        $this->tryCall($this->formatPermissionCheckMethod($this->getAction()), $this->params);
     }
 
     protected function isRequestJson(): bool
diff --git a/tests/Presenters/ExercisesPresenter.phpt b/tests/Presenters/ExercisesPresenter.phpt
@@ -1106,15 +1106,32 @@ class TestExercisesPresenter extends Tester\TestCase
         });
         $exercise = current($exercises);
 
+        $postBody = [
+            'version' => 1,
+            'difficulty' => 'super hard',
+            'isPublic' => false,
+            'localizedTexts' => [
+                [
+                    'locale' => 'cs',
+                    'text' => 'new descr',
+                    'name' => 'new name',
+                    'description' => 'some neaty description'
+                ]
+            ],
+            'solutionFilesLimit' => 3,
+            'solutionSizeLimit' => 42,
+            'mergeJudgeLogs' => false,
+        ];
+
         // another supervisor cannot update this exercise
         Assert::exception(
-            function () use ($exercise) {
+            function () use ($exercise, $postBody) {
                 PresenterTestHelper::performPresenterRequest(
                     $this->presenter,
                     'V1:Exercises',
                     'POST',
                     ['action' => 'updateDetail', 'id' => $exercise->getId()],
-                    []
+                    $postBody
                 );
             },
             ForbiddenRequestException::class
@@ -1130,22 +1147,7 @@ class TestExercisesPresenter extends Tester\TestCase
             'V1:Exercises',
             'POST',
             ['action' => 'updateDetail', 'id' => $exercise->getId()],
-            [
-                'version' => 1,
-                'difficulty' => 'super hard',
-                'isPublic' => false,
-                'localizedTexts' => [
-                    [
-                        'locale' => 'cs',
-                        'text' => 'new descr',
-                        'name' => 'new name',
-                        'description' => 'some neaty description'
-                    ]
-                ],
-                'solutionFilesLimit' => 3,
-                'solutionSizeLimit' => 42,
-                'mergeJudgeLogs' => false,
-            ]
+            $postBody
         );
         $response = $this->presenter->run($request);
         Assert::type(Nette\Application\Responses\JsonResponse::class, $response);
diff --git a/tests/Security/UserLocking.phpt b/tests/Security/UserLocking.phpt
@@ -572,7 +572,7 @@ class UserLocking extends Tester\TestCase
                     'V1:Comments',
                     'POST',
                     ['action' => 'addComment', 'id' => $solution->getId()],
-                    ['text' => 'some comment text', 'isPrivate' => 'false']
+                    ['text' => 'some comment text', 'isPrivate' => false]
                 );
             },
             App\Exceptions\ForbiddenRequestException::class
@@ -610,7 +610,7 @@ class UserLocking extends Tester\TestCase
                     'V1:Comments',
                     'POST',
                     ['action' => 'addComment', 'id' => $solution->getId()],
-                    ['text' => 'some comment text', 'isPrivate' => 'false']
+                    ['text' => 'some comment text', 'isPrivate' => false]
                 );
             },
             App\Exceptions\ForbiddenRequestException::class
@@ -639,7 +639,7 @@ class UserLocking extends Tester\TestCase
                     'V1:Comments',
                     'POST',
                     ['action' => 'addComment', 'id' => $assignment->getId()],
-                    ['text' => 'some comment text', 'isPrivate' => 'false']
+                    ['text' => 'some comment text', 'isPrivate' => false]
                 );
             },
             App\Exceptions\ForbiddenRequestException::class
@@ -671,7 +671,7 @@ class UserLocking extends Tester\TestCase
                     'V1:Comments',
                     'POST',
                     ['action' => 'addComment', 'id' => $assignment->getId()],
-                    ['text' => 'some comment text', 'isPrivate' => 'false']
+                    ['text' => 'some comment text', 'isPrivate' => false]
                 );
             },
             App\Exceptions\ForbiddenRequestException::class

Original file line number	Diff line number	Diff line change
`@@ -127,11 +127,11 @@ public function startup()`
`127`	`127`	`$this->verifyUserIpLock($user);`
`128`	`128`	`}`
`129`	`129`
`130`		`- // ACL-checking method`
`131`		`- $this->tryCall($this->formatPermissionCheckMethod($this->getAction()), $this->params);`
`132`		`-`
`133`	`130`	`Validators::init();`
`134`	`131`	`$this->processParams($actionReflection);`
	`132`	`+`
	`133`	`+ // ACL-checking method`
	`134`	`+ $this->tryCall($this->formatPermissionCheckMethod($this->getAction()), $this->params);`
`135`	`135`	`}`
`136`	`136`
`137`	`137`	`protected function isRequestJson(): bool`