diff options
| author | Frederic Guillot <fred@kanboard.net> | 2017-04-07 21:46:36 -0400 |
|---|---|---|
| committer | Frederic Guillot <fred@kanboard.net> | 2017-04-07 21:46:36 -0400 |
| commit | 003c03a4e6a73dfa3633ba756e3647bf9d4517a5 (patch) | |
| tree | 1a32db21cd8d4f28a08d928f48c2532d50deae07 /app | |
| parent | 481e767d3533449e63eda1767c5e6c071d3442a3 (diff) | |
Add project restriction to block task edition
Diffstat (limited to 'app')
| -rw-r--r-- | app/Controller/TaskModificationController.php | 20 | ||||
| -rw-r--r-- | app/Helper/ProjectRoleHelper.php | 18 | ||||
| -rw-r--r-- | app/Model/ProjectRoleRestrictionModel.php | 2 |
3 files changed, 35 insertions, 5 deletions
diff --git a/app/Controller/TaskModificationController.php b/app/Controller/TaskModificationController.php index d2b02a80..a3f68a8b 100644 --- a/app/Controller/TaskModificationController.php +++ b/app/Controller/TaskModificationController.php @@ -22,7 +22,9 @@ class TaskModificationController extends BaseController public function start() { $task = $this->getTask(); - $this->taskModificationModel->update(array('id' => $task['id'], 'date_started' => time())); + $values = array('id' => $task['id'], 'date_started' => time()); + $this->checkPermission($task, $values); + $this->taskModificationModel->update($values); $this->response->redirect($this->helper->url->to('TaskViewController', 'show', array('project_id' => $task['project_id'], 'task_id' => $task['id']))); } @@ -103,10 +105,7 @@ class TaskModificationController extends BaseController protected function updateTask(array &$task, array &$values, array &$errors) { - if (isset($values['owner_id']) && $values['owner_id'] != $task['owner_id'] && ! $this->helper->projectRole->canChangeAssignee($task)) { - throw new AccessForbiddenException(t('You are not allowed to change the assignee')); - } - + $this->checkPermission($task, $values); $result = $this->taskModificationModel->update($values); if ($result && ! empty($task['external_uri'])) { @@ -123,4 +122,15 @@ class TaskModificationController extends BaseController return $result; } + + protected function checkPermission(array &$task, array &$values) + { + if (isset($values['owner_id']) && $values['owner_id'] != $task['owner_id'] && !$this->helper->projectRole->canChangeAssignee($task)) { + throw new AccessForbiddenException(t('You are not allowed to change the assignee.')); + } + + if (! $this->helper->projectRole->canUpdateTask($task)) { + throw new AccessForbiddenException(t('You are not allowed to update tasks assigned to someone else.')); + } + } } diff --git a/app/Helper/ProjectRoleHelper.php b/app/Helper/ProjectRoleHelper.php index 508dc9e0..295b8b3e 100644 --- a/app/Helper/ProjectRoleHelper.php +++ b/app/Helper/ProjectRoleHelper.php @@ -190,6 +190,24 @@ class ProjectRoleHelper extends Base } /** + * Return true if the user can update a task + * + * @public + * @param array $task + * @return bool + */ + public function canUpdateTask(array $task) + { + $role = $this->getProjectUserRole($task['project_id']); + + if ($task['owner_id'] != $this->userSession->getId() && $this->hasRestriction($task['project_id'], $role, ProjectRoleRestrictionModel::RULE_TASK_UPDATE_ASSIGNED)) { + return false; + } + + return true; + } + + /** * Check project access * * @param string $controller diff --git a/app/Model/ProjectRoleRestrictionModel.php b/app/Model/ProjectRoleRestrictionModel.php index 714b2a65..b7a8e084 100644 --- a/app/Model/ProjectRoleRestrictionModel.php +++ b/app/Model/ProjectRoleRestrictionModel.php @@ -19,6 +19,7 @@ class ProjectRoleRestrictionModel extends Base const RULE_TASK_OPEN_CLOSE = 'task_open_close'; const RULE_TASK_MOVE = 'task_move'; const RULE_TASK_CHANGE_ASSIGNEE = 'task_change_assignee'; + const RULE_TASK_UPDATE_ASSIGNED = 'task_update_assigned'; /** * Get rules @@ -33,6 +34,7 @@ class ProjectRoleRestrictionModel extends Base self::RULE_TASK_OPEN_CLOSE => t('Closing or opening a task is not permitted'), self::RULE_TASK_MOVE => t('Moving a task is not permitted'), self::RULE_TASK_CHANGE_ASSIGNEE => t('Changing assignee is not permitted'), + self::RULE_TASK_UPDATE_ASSIGNED => t('Update only assigned tasks'), ); } |