fix: Add ownership verification for editing and managing playlists in add.json.php

Daniel Neto · Daniel Neto · commit 1e6dc20172de · 2026-03-27T10:21:05.000-03:00
https://github.com/WWBN/AVideo/security/advisories/GHSA-2rm7-j397-3fqg#event-597441
diff --git a/plugin/PlayLists/View/Playlists_schedules/add.json.php b/plugin/PlayLists/View/Playlists_schedules/add.json.php
@@ -1,33 +1,46 @@
-<?php
-header('Content-Type: application/json');
-require_once '../../../../videos/configuration.php';
-require_once $global['systemRootPath'] . 'plugin/PlayLists/Objects/Playlists_schedules.php';
-$obj = new stdClass();
-$obj->error = true;
-$obj->msg = "";
-
-$plugin = AVideoPlugin::loadPluginIfEnabled('PlayLists');
-if (empty($plugin)) {
-    forbiddenPage(__("The plugin is disabled"));
-}
-                                           
-if (!User::canStream()) {
-    forbiddenPage(__("You cannot livestream"));
-}
-
-$o = new Playlists_schedules(@$_POST['id']);
-$o->setPlaylists_id($_POST['playlists_id']);
-$o->setName($_POST['name']);
-$o->setDescription($_POST['description']);
-//$o->setStatus($_POST['status']);
-$o->setLoop($_POST['loop']);
-$o->setStart_datetime($_POST['start_datetime']);
-$o->setFinish_datetime($_POST['finish_datetime']);
-$o->setRepeat($_POST['repeat']);
-$o->setParameters($_POST['parameters']);
-
-if($id = $o->save()){
-    $obj->error = false;
-}
-
-echo json_encode($obj);
+<?php
+header('Content-Type: application/json');
+require_once '../../../../videos/configuration.php';
+require_once $global['systemRootPath'] . 'plugin/PlayLists/Objects/Playlists_schedules.php';
+$obj = new stdClass();
+$obj->error = true;
+$obj->msg = "";
+
+$plugin = AVideoPlugin::loadPluginIfEnabled('PlayLists');
+if (empty($plugin)) {
+    forbiddenPage(__("The plugin is disabled"));
+}
+
+if (!User::canStream()) {
+    forbiddenPage(__("You cannot livestream"));
+}
+
+// Verify ownership of the existing schedule when editing
+if (!empty($_POST['id'])) {
+    $existing = new Playlists_schedules(intval($_POST['id']));
+    if (!PlayLists::canManagePlaylist($existing->getPlaylists_id())) {
+        forbiddenPage(__("You cannot modify this schedule"));
+    }
+}
+
+// Verify ownership of the target playlist
+if (!PlayLists::canManagePlaylist($_POST['playlists_id'])) {
+    forbiddenPage(__("You cannot manage this playlist"));
+}
+
+$o = new Playlists_schedules(@$_POST['id']);
+$o->setPlaylists_id($_POST['playlists_id']);
+$o->setName($_POST['name']);
+$o->setDescription($_POST['description']);
+//$o->setStatus($_POST['status']);
+$o->setLoop($_POST['loop']);
+$o->setStart_datetime($_POST['start_datetime']);
+$o->setFinish_datetime($_POST['finish_datetime']);
+$o->setRepeat($_POST['repeat']);
+$o->setParameters($_POST['parameters']);
+
+if($id = $o->save()){
+    $obj->error = false;
+}
+
+echo json_encode($obj);
