diff options
| author | Frederic Guillot <fred@kanboard.net> | 2015-08-07 18:07:19 -0400 |
|---|---|---|
| committer | Frederic Guillot <fred@kanboard.net> | 2015-08-07 18:07:19 -0400 |
| commit | 2d5621af2f3678ce4959a450663f5657098144bc (patch) | |
| tree | 876b0097fa1f5e3fd5ae5b013ad5500976357b20 /app | |
| parent | 2ffafaac7e8ee985eebe8c89248fc5daf6b2276e (diff) | |
Fix permission issue when changing the url manually
Diffstat (limited to 'app')
| -rw-r--r-- | app/Controller/Base.php | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/app/Controller/Base.php b/app/Controller/Base.php index f68c4755..bfcbfd2a 100644 --- a/app/Controller/Base.php +++ b/app/Controller/Base.php @@ -269,12 +269,17 @@ abstract class Base extends \Core\Base */ protected function getTask() { + $project_id = $this->request->getIntegerParam('project_id'); $task = $this->taskFinder->getDetails($this->request->getIntegerParam('task_id')); if (empty($task)) { $this->notfound(); } + if ($project_id !== 0 && $project_id != $task['project_id']) { + $this->forbidden(); + } + return $task; } |