API: check project membership for task operations

author: Frederic Guillot <fred@kanboard.net> 2015-12-12 17:46:11 -0500
committer: Frederic Guillot <fred@kanboard.net> 2015-12-12 17:46:11 -0500
commit: 486238b5485d61cdc4e66244632f91357d014059 (patch)
tree: 75857aad9dc7532102e0c11eae78e4fe7745ebe6 /app/Api
parent: 7b997692273055ada47b5b97f0cc5eb22fb0c0ca (diff)
1 files changed, 20 insertions, 4 deletions
diff --git a/app/Api/Task.php b/app/Api/Task.php
index 0dceb209..4a7ee932 100644
--- a/app/Api/Task.php
+++ b/app/Api/Task.php
@@ -71,6 +71,14 @@ class Task extends Base
     {
         $this->checkProjectPermission($project_id);
 
+        if ($owner_id !== 0 && ! $this->projectPermission->isMember($project_id, $owner_id)) {
+            return false;
+        }
+
+        if ($this->userSession->isLogged()) {
+            $creator_id = $this->userSession->getId();
+        }
+
         $values = array(
             'title' => $title,
             'project_id' => $project_id,
@@ -96,20 +104,28 @@ class Task extends Base
         return $valid ? $this->taskCreation->create($values) : false;
     }
 
-    public function updateTask($id, $title = null, $project_id = null, $color_id = null, $owner_id = null,
-                               $creator_id = null, $date_due = null, $description = null, $category_id = null, $score = null,
+    public function updateTask($id, $title = null, $color_id = null, $owner_id = null,
+                               $date_due = null, $description = null, $category_id = null, $score = null,
                                $recurrence_status = null, $recurrence_trigger = null, $recurrence_factor = null,
                                $recurrence_timeframe = null, $recurrence_basedate = null, $reference = null)
     {
         $this->checkTaskPermission($id);
 
+        $project_id = $this->taskFinder->getProjectId($id);
+
+        if ($project_id === 0) {
+            return false;
+        }
+
+        if ($owner_id !== null && ! $this->projectPermission->isMember($project_id, $owner_id)) {
+            return false;
+        }
+
         $values = array(
             'id' => $id,
             'title' => $title,
-            'project_id' => $project_id,
             'color_id' => $color_id,
             'owner_id' => $owner_id,
-            'creator_id' => $creator_id,
             'date_due' => $date_due,
             'description' => $description,
             'category_id' => $category_id,
author	Frederic Guillot <fred@kanboard.net>	2015-12-12 17:46:11 -0500
committer	Frederic Guillot <fred@kanboard.net>	2015-12-12 17:46:11 -0500
commit	486238b5485d61cdc4e66244632f91357d014059 (patch)
tree	75857aad9dc7532102e0c11eae78e4fe7745ebe6 /app/Api
parent	7b997692273055ada47b5b97f0cc5eb22fb0c0ca (diff)