summaryrefslogtreecommitdiff
path: root/app/Controller
diff options
context:
space:
mode:
authorFrederic Guillot <fred@kanboard.net>2017-04-07 21:46:36 -0400
committerFrederic Guillot <fred@kanboard.net>2017-04-07 21:46:36 -0400
commit003c03a4e6a73dfa3633ba756e3647bf9d4517a5 (patch)
tree1a32db21cd8d4f28a08d928f48c2532d50deae07 /app/Controller
parent481e767d3533449e63eda1767c5e6c071d3442a3 (diff)
Add project restriction to block task edition
Diffstat (limited to 'app/Controller')
-rw-r--r--app/Controller/TaskModificationController.php20
1 files changed, 15 insertions, 5 deletions
diff --git a/app/Controller/TaskModificationController.php b/app/Controller/TaskModificationController.php
index d2b02a80..a3f68a8b 100644
--- a/app/Controller/TaskModificationController.php
+++ b/app/Controller/TaskModificationController.php
@@ -22,7 +22,9 @@ class TaskModificationController extends BaseController
public function start()
{
$task = $this->getTask();
- $this->taskModificationModel->update(array('id' => $task['id'], 'date_started' => time()));
+ $values = array('id' => $task['id'], 'date_started' => time());
+ $this->checkPermission($task, $values);
+ $this->taskModificationModel->update($values);
$this->response->redirect($this->helper->url->to('TaskViewController', 'show', array('project_id' => $task['project_id'], 'task_id' => $task['id'])));
}
@@ -103,10 +105,7 @@ class TaskModificationController extends BaseController
protected function updateTask(array &$task, array &$values, array &$errors)
{
- if (isset($values['owner_id']) && $values['owner_id'] != $task['owner_id'] && ! $this->helper->projectRole->canChangeAssignee($task)) {
- throw new AccessForbiddenException(t('You are not allowed to change the assignee'));
- }
-
+ $this->checkPermission($task, $values);
$result = $this->taskModificationModel->update($values);
if ($result && ! empty($task['external_uri'])) {
@@ -123,4 +122,15 @@ class TaskModificationController extends BaseController
return $result;
}
+
+ protected function checkPermission(array &$task, array &$values)
+ {
+ if (isset($values['owner_id']) && $values['owner_id'] != $task['owner_id'] && !$this->helper->projectRole->canChangeAssignee($task)) {
+ throw new AccessForbiddenException(t('You are not allowed to change the assignee.'));
+ }
+
+ if (! $this->helper->projectRole->canUpdateTask($task)) {
+ throw new AccessForbiddenException(t('You are not allowed to update tasks assigned to someone else.'));
+ }
+ }
}