soeren/fotospiel-app
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Harden tenant admin auth and photo moderation
Some checks failed
linter / quality (push) Has been cancelled
Details
tests / ci (push) Has been cancelled
Details
tests / ui (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Codex Agent
2026-01-30 14:53:51 +01:00
parent d45cb6a087
commit 916b204688
7 changed files with 220 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
app/Http/Controllers/TenantAdminFacebookController.php
View File

@@ -100,13 +100,30 @@ class TenantAdminFacebookController extends Controller
return null;
}
if (str_starts_with($decoded, '//')) {
return null;
}
if (str_starts_with($decoded, '/')) {
return $decoded;
}
$targetHost = parse_url($decoded, PHP_URL_HOST);
$appHost = parse_url($request->getSchemeAndHttpHost(), PHP_URL_HOST);
if ($targetHost && $appHost && ! Str::endsWith($targetHost, $appHost)) {
if (! $targetHost || ! $appHost || ! $this->isAllowedReturnHost($targetHost, $appHost)) {
return null;
}
return $decoded;
}
private function isAllowedReturnHost(string $targetHost, string $appHost): bool
{
if ($targetHost === $appHost) {
return true;
}
return Str::endsWith($targetHost, '.'.$appHost);
}
}