diff options
| author | Frédéric Guillot <fred@kanboard.net> | 2017-12-01 14:36:03 -0800 |
|---|---|---|
| committer | Frédéric Guillot <fred@kanboard.net> | 2017-12-01 14:36:03 -0800 |
| commit | 69d233eaa079e54dd9653d7b777c9397d138e000 (patch) | |
| tree | ade0636433a52927bba18321042dcd67a690c851 /app/Controller | |
| parent | d21aed4e3bb5278e12346dee9de6fb608f691cb8 (diff) | |
Improve permission checks on custom filters page
Diffstat (limited to 'app/Controller')
| -rw-r--r-- | app/Controller/CustomFilterController.php | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/app/Controller/CustomFilterController.php b/app/Controller/CustomFilterController.php index 1bf1617e..3e2de713 100644 --- a/app/Controller/CustomFilterController.php +++ b/app/Controller/CustomFilterController.php @@ -182,10 +182,12 @@ class CustomFilterController extends BaseController private function checkPermission(array $project, array $filter) { - $user_id = $this->userSession->getId(); + $userID = $this->userSession->getId(); - if ($filter['user_id'] != $user_id && ($this->projectUserRoleModel->getUserRole($project['id'], $user_id) === Role::PROJECT_MANAGER || ! $this->userSession->isAdmin())) { - throw new AccessForbiddenException(); + if ($filter['user_id'] != $userID) { + if ($this->projectUserRoleModel->getUserRole($project['id'], $userID) !== Role::PROJECT_MANAGER && ! $this->userSession->isAdmin()) { + throw new AccessForbiddenException(); + } } } } |