From f73e4adc44ae40af97fdc2d66c963db33486ef64 Mon Sep 17 00:00:00 2001
From: Philipp <admin@philipp.info>
Date: Thu, 7 Oct 2021 20:48:39 +0200
Subject: [PATCH] Add explicit check for PermissionSet and ProfileField

---
 src/Model/ProfileField.php                     | 18 +++++++++++++-----
 src/Module/Settings/Profile/Index.php          |  4 ++--
 .../PermissionSet/Depository/PermissionSet.php | 17 -----------------
 3 files changed, 15 insertions(+), 24 deletions(-)

diff --git a/src/Model/ProfileField.php b/src/Model/ProfileField.php
index eafb88db78..8ed35f6c73 100644
--- a/src/Model/ProfileField.php
+++ b/src/Model/ProfileField.php
@@ -23,6 +23,7 @@ namespace Friendica\Model;
 
 use Friendica\BaseModel;
 use Friendica\Database\Database;
+use Friendica\Network\HTTPException\NotFoundException;
 use Friendica\Security\PermissionSet\Depository\PermissionSet as PermissionSetDepository;
 use Friendica\Security\PermissionSet\Entity\PermissionSet;
 use Psr\Log\LoggerInterface;
@@ -40,12 +41,12 @@ use Psr\Log\LoggerInterface;
  * @property string value
  * @property string created
  * @property string edited
- * @property PermissionSet permissionset
+ * @property PermissionSet permissionSet
  */
 class ProfileField extends BaseModel
 {
 	/** @var PermissionSet */
-	private $permissionset;
+	private $permissionSet;
 
 	/** @var PermissionSetDepository */
 	private $permissionSetDepository;
@@ -62,10 +63,17 @@ class ProfileField extends BaseModel
 		$this->checkValid();
 
 		switch ($name) {
-			case 'permissionset':
-				$this->permissionset = $this->permissionset ?? $this->permissionSetDepository->selectOneForUser($this->uid, $this->psid);
+			case 'permissionSet':
+				if (empty($this->permissionSet)) {
+					$permissionSet = $this->permissionSetDepository->selectOneById($this->psid);
+					if ($permissionSet->uid !== $this->uid) {
+						throw new NotFoundException(sprintf('PermissionSet %d for ProfileSet %d is invalid.', $permissionSet->uid, $this->uid));
+					}
 
-				$return = $this->permissionset;
+					$this->permissionSet = $permissionSet;
+				}
+
+				$return = $this->permissionSet;
 				break;
 			default:
 				$return = parent::__get($name);
diff --git a/src/Module/Settings/Profile/Index.php b/src/Module/Settings/Profile/Index.php
index 1f869aebf4..c51393c984 100644
--- a/src/Module/Settings/Profile/Index.php
+++ b/src/Module/Settings/Profile/Index.php
@@ -162,8 +162,8 @@ class Index extends BaseSettings
 		$profileFields = DI::profileField()->selectByUserId(local_user());
 		foreach ($profileFields as $profileField) {
 			/** @var ProfileField $profileField */
-			$defaultPermissions = $profileField->permissionset->withAllowedContacts(
-				Contact::pruneUnavailable($profileField->permissionset->allow_cid)
+			$defaultPermissions = $profileField->permissionSet->withAllowedContacts(
+				Contact::pruneUnavailable($profileField->permissionSet->allow_cid)
 			);
 
 			$custom_fields[] = [
diff --git a/src/Security/PermissionSet/Depository/PermissionSet.php b/src/Security/PermissionSet/Depository/PermissionSet.php
index 993fda05a5..fed3accee1 100644
--- a/src/Security/PermissionSet/Depository/PermissionSet.php
+++ b/src/Security/PermissionSet/Depository/PermissionSet.php
@@ -177,23 +177,6 @@ class PermissionSet extends BaseDepository
 		return $this->selectOrCreate($this->factory->createFromString($uid));
 	}
 
-	/**
-	 * Fetch one PermissionSet with check for ownership
-	 *
-	 * @param int $uid The user id
-	 * @param int $id  The unique id of the PermissionSet
-	 *
-	 * @return Entity\PermissionSet
-	 * @throws NotFoundException in case either the id is invalid or the PermissionSet does not relay to the given user
-	 */
-	public function selectOneForUser(int $uid, int $id): Entity\PermissionSet
-	{
-		return $this->selectOne([
-			'id'  => $id,
-			'uid' => $uid,
-		]);
-	}
-
 	/**
 	 * Selects or creates a PermissionSet based on it's fields
 	 *
-- 
2.39.5