diff options
author | Frederic Guillot <fred@kanboard.net> | 2017-04-08 10:34:34 -0400 |
---|---|---|
committer | Frederic Guillot <fred@kanboard.net> | 2017-04-08 10:34:34 -0400 |
commit | 9a8c6d6493191a09720a634c58c230dba1cafeeb (patch) | |
tree | 44e75a5dafefa502290a8b89fa91ff91d83b0c0f /app/Controller | |
parent | 003c03a4e6a73dfa3633ba756e3647bf9d4517a5 (diff) |
Improve task update restriction
Diffstat (limited to 'app/Controller')
-rw-r--r-- | app/Controller/TaskModificationController.php | 25 |
1 files changed, 13 insertions, 12 deletions
diff --git a/app/Controller/TaskModificationController.php b/app/Controller/TaskModificationController.php index a3f68a8b..a53c1a38 100644 --- a/app/Controller/TaskModificationController.php +++ b/app/Controller/TaskModificationController.php @@ -40,6 +40,11 @@ class TaskModificationController extends BaseController public function edit(array $values = array(), array $errors = array()) { $task = $this->getTask(); + + if (! $this->helper->projectRole->canUpdateTask($task)) { + throw new AccessForbiddenException(t('You are not allowed to update tasks assigned to someone else.')); + } + $project = $this->projectModel->getById($task['project_id']); if (empty($values)) { @@ -105,7 +110,14 @@ class TaskModificationController extends BaseController protected function updateTask(array &$task, array &$values, array &$errors) { - $this->checkPermission($task, $values); + if (isset($values['owner_id']) && $values['owner_id'] != $task['owner_id'] && !$this->helper->projectRole->canChangeAssignee($task)) { + throw new AccessForbiddenException(t('You are not allowed to change the assignee.')); + } + + if (! $this->helper->projectRole->canUpdateTask($task)) { + throw new AccessForbiddenException(t('You are not allowed to update tasks assigned to someone else.')); + } + $result = $this->taskModificationModel->update($values); if ($result && ! empty($task['external_uri'])) { @@ -122,15 +134,4 @@ class TaskModificationController extends BaseController return $result; } - - protected function checkPermission(array &$task, array &$values) - { - if (isset($values['owner_id']) && $values['owner_id'] != $task['owner_id'] && !$this->helper->projectRole->canChangeAssignee($task)) { - throw new AccessForbiddenException(t('You are not allowed to change the assignee.')); - } - - if (! $this->helper->projectRole->canUpdateTask($task)) { - throw new AccessForbiddenException(t('You are not allowed to update tasks assigned to someone else.')); - } - } } |