Merge remote-tracking branch 'refs/remotes/origin/master'

author: Busfreak <martin@middeke.de> 2015-12-15 12:00:47 +0100
committer: Busfreak <martin@middeke.de> 2015-12-15 12:00:47 +0100
commit: 16e8241f0f29f0afb9c4ad4c6f68699d62d889ff (patch)
tree: aa0f03c5c1d7897246e513e52c6a1f823709dd3d /app/Api
parent: b834f5475c8eebb76548046558e7d1464cbd01d4 (diff)
parent: 9e1f4fa6c7eae1b46cf5431ab085b82e970e2d57 (diff)
1 files changed, 20 insertions, 4 deletions
diff --git a/app/Api/Task.php b/app/Api/Task.php
index 0dceb209..4a7ee932 100644
--- a/app/Api/Task.php
+++ b/app/Api/Task.php
@@ -71,6 +71,14 @@ class Task extends Base
     {
         $this->checkProjectPermission($project_id);
 
+        if ($owner_id !== 0 && ! $this->projectPermission->isMember($project_id, $owner_id)) {
+            return false;
+        }
+
+        if ($this->userSession->isLogged()) {
+            $creator_id = $this->userSession->getId();
+        }
+
         $values = array(
             'title' => $title,
             'project_id' => $project_id,
@@ -96,20 +104,28 @@ class Task extends Base
         return $valid ? $this->taskCreation->create($values) : false;
     }
 
-    public function updateTask($id, $title = null, $project_id = null, $color_id = null, $owner_id = null,
-                               $creator_id = null, $date_due = null, $description = null, $category_id = null, $score = null,
+    public function updateTask($id, $title = null, $color_id = null, $owner_id = null,
+                               $date_due = null, $description = null, $category_id = null, $score = null,
                                $recurrence_status = null, $recurrence_trigger = null, $recurrence_factor = null,
                                $recurrence_timeframe = null, $recurrence_basedate = null, $reference = null)
     {
         $this->checkTaskPermission($id);
 
+        $project_id = $this->taskFinder->getProjectId($id);
+
+        if ($project_id === 0) {
+            return false;
+        }
+
+        if ($owner_id !== null && ! $this->projectPermission->isMember($project_id, $owner_id)) {
+            return false;
+        }
+
         $values = array(
             'id' => $id,
             'title' => $title,
-            'project_id' => $project_id,
             'color_id' => $color_id,
             'owner_id' => $owner_id,
-            'creator_id' => $creator_id,
             'date_due' => $date_due,
             'description' => $description,
             'category_id' => $category_id,
author	Busfreak <martin@middeke.de>	2015-12-15 12:00:47 +0100
committer	Busfreak <martin@middeke.de>	2015-12-15 12:00:47 +0100
commit	16e8241f0f29f0afb9c4ad4c6f68699d62d889ff (patch)
tree	aa0f03c5c1d7897246e513e52c6a1f823709dd3d /app/Api
parent	b834f5475c8eebb76548046558e7d1464cbd01d4 (diff)
parent	9e1f4fa6c7eae1b46cf5431ab085b82e970e2d57 (diff)