diff options
author | Frederic Guillot <fred@kanboard.net> | 2017-04-07 21:46:36 -0400 |
---|---|---|
committer | Frederic Guillot <fred@kanboard.net> | 2017-04-07 21:46:36 -0400 |
commit | 003c03a4e6a73dfa3633ba756e3647bf9d4517a5 (patch) | |
tree | 1a32db21cd8d4f28a08d928f48c2532d50deae07 /app/Controller | |
parent | 481e767d3533449e63eda1767c5e6c071d3442a3 (diff) |
Add project restriction to block task edition
Diffstat (limited to 'app/Controller')
-rw-r--r-- | app/Controller/TaskModificationController.php | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/app/Controller/TaskModificationController.php b/app/Controller/TaskModificationController.php index d2b02a80..a3f68a8b 100644 --- a/app/Controller/TaskModificationController.php +++ b/app/Controller/TaskModificationController.php @@ -22,7 +22,9 @@ class TaskModificationController extends BaseController public function start() { $task = $this->getTask(); - $this->taskModificationModel->update(array('id' => $task['id'], 'date_started' => time())); + $values = array('id' => $task['id'], 'date_started' => time()); + $this->checkPermission($task, $values); + $this->taskModificationModel->update($values); $this->response->redirect($this->helper->url->to('TaskViewController', 'show', array('project_id' => $task['project_id'], 'task_id' => $task['id']))); } @@ -103,10 +105,7 @@ class TaskModificationController extends BaseController protected function updateTask(array &$task, array &$values, array &$errors) { - if (isset($values['owner_id']) && $values['owner_id'] != $task['owner_id'] && ! $this->helper->projectRole->canChangeAssignee($task)) { - throw new AccessForbiddenException(t('You are not allowed to change the assignee')); - } - + $this->checkPermission($task, $values); $result = $this->taskModificationModel->update($values); if ($result && ! empty($task['external_uri'])) { @@ -123,4 +122,15 @@ class TaskModificationController extends BaseController return $result; } + + protected function checkPermission(array &$task, array &$values) + { + if (isset($values['owner_id']) && $values['owner_id'] != $task['owner_id'] && !$this->helper->projectRole->canChangeAssignee($task)) { + throw new AccessForbiddenException(t('You are not allowed to change the assignee.')); + } + + if (! $this->helper->projectRole->canUpdateTask($task)) { + throw new AccessForbiddenException(t('You are not allowed to update tasks assigned to someone else.')); + } + } } |