summaryrefslogtreecommitdiff
path: root/app/Controller
diff options
context:
space:
mode:
authorFrederic Guillot <fred@kanboard.net>2017-04-08 10:34:34 -0400
committerFrederic Guillot <fred@kanboard.net>2017-04-08 10:34:34 -0400
commit9a8c6d6493191a09720a634c58c230dba1cafeeb (patch)
tree44e75a5dafefa502290a8b89fa91ff91d83b0c0f /app/Controller
parent003c03a4e6a73dfa3633ba756e3647bf9d4517a5 (diff)
Improve task update restriction
Diffstat (limited to 'app/Controller')
-rw-r--r--app/Controller/TaskModificationController.php25
1 files changed, 13 insertions, 12 deletions
diff --git a/app/Controller/TaskModificationController.php b/app/Controller/TaskModificationController.php
index a3f68a8b..a53c1a38 100644
--- a/app/Controller/TaskModificationController.php
+++ b/app/Controller/TaskModificationController.php
@@ -40,6 +40,11 @@ class TaskModificationController extends BaseController
public function edit(array $values = array(), array $errors = array())
{
$task = $this->getTask();
+
+ if (! $this->helper->projectRole->canUpdateTask($task)) {
+ throw new AccessForbiddenException(t('You are not allowed to update tasks assigned to someone else.'));
+ }
+
$project = $this->projectModel->getById($task['project_id']);
if (empty($values)) {
@@ -105,7 +110,14 @@ class TaskModificationController extends BaseController
protected function updateTask(array &$task, array &$values, array &$errors)
{
- $this->checkPermission($task, $values);
+ if (isset($values['owner_id']) && $values['owner_id'] != $task['owner_id'] && !$this->helper->projectRole->canChangeAssignee($task)) {
+ throw new AccessForbiddenException(t('You are not allowed to change the assignee.'));
+ }
+
+ if (! $this->helper->projectRole->canUpdateTask($task)) {
+ throw new AccessForbiddenException(t('You are not allowed to update tasks assigned to someone else.'));
+ }
+
$result = $this->taskModificationModel->update($values);
if ($result && ! empty($task['external_uri'])) {
@@ -122,15 +134,4 @@ class TaskModificationController extends BaseController
return $result;
}
-
- protected function checkPermission(array &$task, array &$values)
- {
- if (isset($values['owner_id']) && $values['owner_id'] != $task['owner_id'] && !$this->helper->projectRole->canChangeAssignee($task)) {
- throw new AccessForbiddenException(t('You are not allowed to change the assignee.'));
- }
-
- if (! $this->helper->projectRole->canUpdateTask($task)) {
- throw new AccessForbiddenException(t('You are not allowed to update tasks assigned to someone else.'));
- }
- }
}