Fixing security vunerability

d4nt · d4nt · commit 57b700823f8e · 2019-11-23T07:17:27.000Z
diff --git a/Web/Controllers/InvitationsController.cs b/Web/Controllers/InvitationsController.cs
@@ -61,7 +61,10 @@ public ActionResult Index()
                 .Include(c => c.CreatedBy)
                 .GroupBy(c => c.OrganisationId))
             {
-                InvitationViewModel viewModel = new InvitationViewModel();
+                InvitationViewModel viewModel = new InvitationViewModel
+                {
+                    OrganisationInviteId = orgGrp.First().OrganisationInviteId
+                };
                 
                 Organisation organisation = db.Organisations.First(ba => ba.OrganisationId == orgGrp.Key);
                 viewModel.OrganisationId = organisation.OrganisationId;
@@ -119,22 +122,20 @@ public ActionResult Accept(int id)
                 return NotFound("Could not find user");
             }
 
-            var organisation = db.Organisations.FirstOrDefault(ba => ba.OrganisationId == id);
+            var invite = db.OrganisationInvites.FirstOrDefault(uc => uc.InviteEmail.ToLower() == CurrentUser.Email.ToLower() && uc.AcceptedOn == null && uc.RejectedOn == null && uc.OrganisationInviteId == id);
 
-            if (organisation == null)
+            if (invite == null)
             {
-                return NotFound("Organisation not found");
+                return NotFound("Invite not found");
             }
 
-            // remove other invitations to other organisations
-            db.OrganisationInvites.RemoveWhere(uc => uc.InviteEmail.ToLower() == CurrentUser.Email.ToLower() && uc.OrganisationId != id);
+            var organisation = db.Organisations.FirstOrDefault(ba => ba.OrganisationId == invite.OrganisationId);
 
-            db.SaveChanges();
+            if (organisation == null)
+            {
+                return NotFound("Organisation not found");
+            }
 
-            var invitationsToAccept = db.OrganisationInvites
-                .Where(uc => uc.InviteEmail == CurrentUser.Email && uc.OrganisationId == id)
-                .ToList();
-            
             List<DatabaseConnection> leave = new List<DatabaseConnection>();
             List<DatabaseConnection> migrate = new List<DatabaseConnection>();
             
@@ -173,11 +174,16 @@ public ActionResult Accept(int id)
             
             CurrentUser.OrganisationId = organisation.OrganisationId;
 
-            foreach (var invite in invitationsToAccept)
+            invite.AcceptedOn = DateTime.Now;
+            
+            // reject other invitations to other organisations
+            var invitesToReject = db.OrganisationInvites.Where(uc => uc.InviteEmail.ToLower() == CurrentUser.Email.ToLower() && uc.OrganisationInviteId != invite.OrganisationInviteId);
+        
+            foreach (var inviteToReject in invitesToReject)
             {
-                invite.AcceptedOn = DateTime.Now;
+                inviteToReject.RejectedOn = DateTime.Now;
             }
-        
+
             db.SaveChanges();
 
             return RedirectToAction("Index", "Home");
@@ -190,7 +196,13 @@ public ActionResult Reject(int id)
                 return NotFound("Could not find user");
             }
             
-            var invite = db.OrganisationInvites.First(i => i.InviteEmail.ToLower() == CurrentUser.Email.ToLower() && i.OrganisationId == id && i.AcceptedOn == null && i.RejectedOn == null);
+            var invite = db.OrganisationInvites.FirstOrDefault(uc => uc.InviteEmail.ToLower() == CurrentUser.Email.ToLower() && uc.AcceptedOn == null && uc.RejectedOn == null && uc.OrganisationInviteId == id);
+
+            if (invite == null)
+            {
+                return NotFound("Invite not found");
+            }
+
             invite.RejectedOn = DateTime.Now;
 
             db.SaveChanges();
diff --git a/Web/ViewModels/InvitationViewModel.cs b/Web/ViewModels/InvitationViewModel.cs
@@ -58,6 +58,8 @@ public string Description
 
         public int OrganisationId { get; set; }
 
+        public int OrganisationInviteId { get; set; }
+
         public bool IsOrganisationAdmin { get; set; }
 
         public List<string> DatabasesMerged { get; set; }
diff --git a/Web/Views/Invitations/Index.cshtml b/Web/Views/Invitations/Index.cshtml
@@ -44,11 +44,11 @@
                     }
 					<div class="row">
 						<div class="col-md-6">
-							@Html.ActionLink("Accept", "Accept", new { id = item.OrganisationId }, new { @class = "btn btn-lg btn-success" })
+							@Html.ActionLink("Accept", "Accept", new { id = item.OrganisationInviteId }, new { @class = "btn btn-lg btn-success" })
 						</div>
 
 						<div class="col-md-6">
-							@Html.ActionLink("Reject", "Reject", new { id = item.OrganisationId }, new { @class = "btn btn-lg btn-warning rhs-delete" })
+							@Html.ActionLink("Reject", "Reject", new { id = item.OrganisationInviteId }, new { @class = "btn btn-lg btn-warning rhs-delete" })
 						</div>
 					</div>
 				</div>
