Apply column restrictions to the board

author: Frederic Guillot <fred@kanboard.net> 2016-09-08 22:33:16 -0400
committer: Frederic Guillot <fred@kanboard.net> 2016-09-08 22:33:16 -0400
commit: 75470c72428c8d8f278d160369558ab31b137fb1 (patch)
tree: 7fcad6cbc661e2762f1dfa5f643a5beac5217a17 /app/Controller/BoardAjaxController.php
parent: fedf4ea2de21fcf95fc5aa942cedc7924865f160 (diff)
1 files changed, 11 insertions, 1 deletions
diff --git a/app/Controller/BoardAjaxController.php b/app/Controller/BoardAjaxController.php
index ccd47667..5e771fd6 100644
--- a/app/Controller/BoardAjaxController.php
+++ b/app/Controller/BoardAjaxController.php
@@ -28,11 +28,21 @@ class BoardAjaxController extends BaseController
         }
 
         $values = $this->request->getJson();
+        $canMoveTask = $this->columnMoveRestrictionModel->isAllowed(
+            $project_id,
+            $this->helper->user->getProjectUserRole($project_id),
+            $values['src_column_id'],
+            $values['dst_column_id']
+        );
+
+        if (! $canMoveTask) {
+            throw new AccessForbiddenException("You don't have the permission to move this task");
+        }
 
         $result =$this->taskPositionModel->movePosition(
             $project_id,
             $values['task_id'],
-            $values['column_id'],
+            $values['dst_column_id'],
             $values['position'],
             $values['swimlane_id']
         );
author	Frederic Guillot <fred@kanboard.net>	2016-09-08 22:33:16 -0400
committer	Frederic Guillot <fred@kanboard.net>	2016-09-08 22:33:16 -0400
commit	75470c72428c8d8f278d160369558ab31b137fb1 (patch)
tree	7fcad6cbc661e2762f1dfa5f643a5beac5217a17 /app/Controller/BoardAjaxController.php
parent	fedf4ea2de21fcf95fc5aa942cedc7924865f160 (diff)