Regular users can remove only their own tasks

6 files changed, 145 insertions, 2 deletions

diff --git a/app/Controller/Base.php b/app/Controller/Base.php
index e9957bbd..e07aabf7 100644
--- a/app/Controller/Base.php
+++ b/app/Controller/Base.php
@@ -31,6 +31,7 @@ use Model\LastLogin;
  * @property \Model\Task               $task
  * @property \Model\TaskHistory        $taskHistory
  * @property \Model\TaskExport         $taskExport
+ * @property \Model\TaskPermission     $taskPermission
  * @property \Model\TaskValidator      $taskValidator
  * @property \Model\CommentHistory     $commentHistory
  * @property \Model\SubtaskHistory     $subtaskHistory
@@ -242,6 +243,10 @@ abstract class Base
      */
     protected function taskLayout($template, array $params)
     {
+        if (isset($params['task']) && $this->taskPermission->canRemoveTask($params['task']) === false) {
+            $params['hide_remove_menu'] = true;
+        }
+
         $content = $this->template->load($template, $params);
         $params['task_content_for_layout'] = $content;
 
diff --git a/app/Controller/Task.php b/app/Controller/Task.php
index 7bb989c6..28db5c28 100644
--- a/app/Controller/Task.php
+++ b/app/Controller/Task.php
@@ -289,6 +289,10 @@ class Task extends Base
     {
         $task = $this->getTask();
 
+        if (! $this->taskPermission->canRemoveTask($task)) {
+            $this->forbidden();
+        }
+
         if ($this->request->getStringParam('confirmation') === 'yes') {
 
             $this->checkCSRFParam();
diff --git a/app/Model/TaskPermission.php b/app/Model/TaskPermission.php
new file mode 100644
index 00000000..2ab154f4
--- /dev/null
+++ b/app/Model/TaskPermission.php
@@ -0,0 +1,32 @@
+<?php
+
+namespace Model;
+
+/**
+ * Task permission model
+ *
+ * @package  model
+ * @author   Frederic Guillot
+ */
+class TaskPermission extends Base
+{
+    /**
+     * Return true if the user can remove a task
+     *
+     * Regular users can't remove tasks from other people
+     *
+     * @public
+     * @return boolean
+     */
+    public function canRemoveTask(array $task)
+    {
+        if ($this->acl->isAdminUser()) {
+            return true;
+        }
+        else if (isset($task['creator_id']) && $task['creator_id'] == $this->acl->getUserId()) {
+            return true;
+        }
+
+        return false;
+    }
+}
diff --git a/app/Templates/task_layout.php b/app/Templates/task_layout.php
index 96c45608..ca0a413f 100644
--- a/app/Templates/task_layout.php
+++ b/app/Templates/task_layout.php
@@ -7,7 +7,7 @@
     </div>
     <section class="task-show" id="task-section">
 
-        <?= Helper\template('task_sidebar', array('task' => $task)) ?>
+        <?= Helper\template('task_sidebar', array('task' => $task, 'hide_remove_menu' => isset($hide_remove_menu))) ?>
 
         <div class="task-show-main">
             <?= $task_content_for_layout ?>
diff --git a/app/Templates/task_sidebar.php b/app/Templates/task_sidebar.php
index 4d363fec..4cffd5fa 100644
--- a/app/Templates/task_sidebar.php
+++ b/app/Templates/task_sidebar.php
@@ -18,7 +18,9 @@
                     <a href="?controller=task&amp;action=open&amp;task_id=<?= $task['id'] ?>"><?= t('Open this task') ?></a>
                 <?php endif ?>
             </li>
-            <li><a href="?controller=task&amp;action=remove&amp;task_id=<?= $task['id'] ?>"><?= t('Remove') ?></a></li>
+            <?php if (! $hide_remove_menu): ?>
+                <li><a href="?controller=task&amp;action=remove&amp;task_id=<?= $task['id'] ?>"><?= t('Remove') ?></a></li>
+            <?php endif ?>
         </ul>
     </div>
 </div>
\ No newline at end of file
diff --git a/tests/units/TaskPermissionTest.php b/tests/units/TaskPermissionTest.php
new file mode 100644
index 00000000..66036990
--- /dev/null
+++ b/tests/units/TaskPermissionTest.php
@@ -0,0 +1,100 @@
+<?php
+
+require_once __DIR__.'/Base.php';
+
+use Model\Task;
+use Model\TaskPermission;
+use Model\Project;
+use Model\Category;
+use Model\User;
+
+class TaskPermissionTest extends Base
+{
+    public function testPrepareCreation()
+    {
+        $t = new Task($this->registry);
+        $tp = new TaskPermission($this->registry);
+        $p = new Project($this->registry);
+        $u = new User($this->registry);
+
+        $this->assertTrue($u->create(array('username' => 'toto', 'password' => '123456')));
+        $this->assertTrue($u->create(array('username' => 'toto2', 'password' => '123456')));
+        $this->assertEquals(1, $p->create(array('name' => 'Project #1')));
+        $this->assertEquals(1, $t->create(array('title' => 'Task #1', 'project_id' => 1, 'creator_id' => 1)));
+        $this->assertEquals(2, $t->create(array('title' => 'Task #2', 'project_id' => 1, 'creator_id' => 2)));
+        $this->assertEquals(3, $t->create(array('title' => 'Task #3', 'project_id' => 1, 'creator_id' => 3)));
+        $this->assertEquals(4, $t->create(array('title' => 'Task #4', 'project_id' => 1)));
+
+        // User #1 can remove everything
+        $user = $u->getbyId(1);
+        $this->assertNotEmpty($user);
+        $u->updateSession($user);
+
+        $task = $t->getbyId(1);
+        $this->assertNotEmpty($task);
+        $this->assertTrue($tp->canRemoveTask($task));
+
+        // User #2 can't remove the task #1
+        $user = $u->getbyId(2);
+        $this->assertNotEmpty($user);
+        $u->updateSession($user);
+
+        $task = $t->getbyId(1);
+        $this->assertNotEmpty($task);
+        $this->assertFalse($tp->canRemoveTask($task));
+
+        // User #1 can remove everything
+        $user = $u->getbyId(1);
+        $this->assertNotEmpty($user);
+        $u->updateSession($user);
+
+        $task = $t->getbyId(2);
+        $this->assertNotEmpty($task);
+        $this->assertTrue($tp->canRemoveTask($task));
+
+        // User #2 can remove his own task
+        $user = $u->getbyId(2);
+        $this->assertNotEmpty($user);
+        $u->updateSession($user);
+
+        $task = $t->getbyId(2);
+        $this->assertNotEmpty($task);
+        $this->assertTrue($tp->canRemoveTask($task));
+
+        // User #1 can remove everything
+        $user = $u->getbyId(1);
+        $this->assertNotEmpty($user);
+        $u->updateSession($user);
+
+        $task = $t->getbyId(3);
+        $this->assertNotEmpty($task);
+        $this->assertTrue($tp->canRemoveTask($task));
+
+        // User #2 can't remove the task #3
+        $user = $u->getbyId(2);
+        $this->assertNotEmpty($user);
+        $u->updateSession($user);
+
+        $task = $t->getbyId(3);
+        $this->assertNotEmpty($task);
+        $this->assertFalse($tp->canRemoveTask($task));
+
+        // User #1 can remove everything
+        $user = $u->getbyId(1);
+        $this->assertNotEmpty($user);
+        $u->updateSession($user);
+
+        $task = $t->getbyId(4);
+        $this->assertNotEmpty($task);
+        $this->assertTrue($tp->canRemoveTask($task));
+
+        // User #2 can't remove the task #4
+        $user = $u->getbyId(2);
+        $this->assertNotEmpty($user);
+        $u->updateSession($user);
+
+        $task = $t->getbyId(4);
+        $this->assertNotEmpty($task);
+        $this->assertFalse($tp->canRemoveTask($task));
+    }
+}