diff options
author | Frédéric Guillot <fred@kanboard.net> | 2017-12-01 14:36:03 -0800 |
---|---|---|
committer | Frédéric Guillot <fred@kanboard.net> | 2017-12-01 14:36:03 -0800 |
commit | 69d233eaa079e54dd9653d7b777c9397d138e000 (patch) | |
tree | ade0636433a52927bba18321042dcd67a690c851 /app | |
parent | d21aed4e3bb5278e12346dee9de6fb608f691cb8 (diff) |
Improve permission checks on custom filters page
Diffstat (limited to 'app')
-rw-r--r-- | app/Controller/CustomFilterController.php | 8 | ||||
-rw-r--r-- | app/Template/custom_filter/index.php | 4 |
2 files changed, 7 insertions, 5 deletions
diff --git a/app/Controller/CustomFilterController.php b/app/Controller/CustomFilterController.php index 1bf1617e..3e2de713 100644 --- a/app/Controller/CustomFilterController.php +++ b/app/Controller/CustomFilterController.php @@ -182,10 +182,12 @@ class CustomFilterController extends BaseController private function checkPermission(array $project, array $filter) { - $user_id = $this->userSession->getId(); + $userID = $this->userSession->getId(); - if ($filter['user_id'] != $user_id && ($this->projectUserRoleModel->getUserRole($project['id'], $user_id) === Role::PROJECT_MANAGER || ! $this->userSession->isAdmin())) { - throw new AccessForbiddenException(); + if ($filter['user_id'] != $userID) { + if ($this->projectUserRoleModel->getUserRole($project['id'], $userID) !== Role::PROJECT_MANAGER && ! $this->userSession->isAdmin()) { + throw new AccessForbiddenException(); + } } } } diff --git a/app/Template/custom_filter/index.php b/app/Template/custom_filter/index.php index 9180deee..a1dc223d 100644 --- a/app/Template/custom_filter/index.php +++ b/app/Template/custom_filter/index.php @@ -18,9 +18,9 @@ <?php foreach ($custom_filters as $filter): ?> <tr> <td> - <?php if ($filter['user_id'] == $this->user->getId() || $this->user->hasProjectAccess('CustomFilterController', 'edit', $project['id'])): ?> + <?php if (($filter['user_id'] == $this->user->getId() || $this->user->isAdmin() || $this->projectRole->getProjectUserRole($project['id']) == \Kanboard\Core\Security\Role::PROJECT_MANAGER) && $this->user->hasProjectAccess('CustomFilterController', 'edit', $project['id'])): ?> <div class="dropdown"> - <a href="#" class="dropdown-menu dropdown-menu-link-icon"><i class="fa fa-cog fa-fw"></i><i class="fa fa-caret-down"></i></a> + <a href="#" class="dropdown-menu dropdown-menu-link-icon"><i class="fa fa-cog"></i><i class="fa fa-caret-down"></i></a> <ul> <li><?= $this->modal->medium('edit', t('Edit'), 'CustomFilterController', 'edit', array('project_id' => $filter['project_id'], 'filter_id' => $filter['id'])) ?></li> <li><?= $this->modal->confirm('trash-o', t('Remove'), 'CustomFilterController', 'confirm', array('project_id' => $filter['project_id'], 'filter_id' => $filter['id'])) ?></li> |