Regular users can remove only their own tasks

2 files changed, 9 insertions, 0 deletions

diff --git a/app/Controller/Base.php b/app/Controller/Base.php
index e9957bbd..e07aabf7 100644
--- a/app/Controller/Base.php
+++ b/app/Controller/Base.php
@@ -31,6 +31,7 @@ use Model\LastLogin;
  * @property \Model\Task               $task
  * @property \Model\TaskHistory        $taskHistory
  * @property \Model\TaskExport         $taskExport
+ * @property \Model\TaskPermission     $taskPermission
  * @property \Model\TaskValidator      $taskValidator
  * @property \Model\CommentHistory     $commentHistory
  * @property \Model\SubtaskHistory     $subtaskHistory
@@ -242,6 +243,10 @@ abstract class Base
      */
     protected function taskLayout($template, array $params)
     {
+        if (isset($params['task']) && $this->taskPermission->canRemoveTask($params['task']) === false) {
+            $params['hide_remove_menu'] = true;
+        }
+
         $content = $this->template->load($template, $params);
         $params['task_content_for_layout'] = $content;
 
diff --git a/app/Controller/Task.php b/app/Controller/Task.php
index 7bb989c6..28db5c28 100644
--- a/app/Controller/Task.php
+++ b/app/Controller/Task.php
@@ -289,6 +289,10 @@ class Task extends Base
     {
         $task = $this->getTask();
 
+        if (! $this->taskPermission->canRemoveTask($task)) {
+            $this->forbidden();
+        }
+
         if ($this->request->getStringParam('confirmation') === 'yes') {
 
             $this->checkCSRFParam();