summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorFrédéric Guillot <fred@kanboard.net>2017-12-01 14:36:03 -0800
committerFrédéric Guillot <fred@kanboard.net>2017-12-01 14:36:03 -0800
commit69d233eaa079e54dd9653d7b777c9397d138e000 (patch)
treeade0636433a52927bba18321042dcd67a690c851 /app
parentd21aed4e3bb5278e12346dee9de6fb608f691cb8 (diff)
Improve permission checks on custom filters page
Diffstat (limited to 'app')
-rw-r--r--app/Controller/CustomFilterController.php8
-rw-r--r--app/Template/custom_filter/index.php4
2 files changed, 7 insertions, 5 deletions
diff --git a/app/Controller/CustomFilterController.php b/app/Controller/CustomFilterController.php
index 1bf1617e..3e2de713 100644
--- a/app/Controller/CustomFilterController.php
+++ b/app/Controller/CustomFilterController.php
@@ -182,10 +182,12 @@ class CustomFilterController extends BaseController
private function checkPermission(array $project, array $filter)
{
- $user_id = $this->userSession->getId();
+ $userID = $this->userSession->getId();
- if ($filter['user_id'] != $user_id && ($this->projectUserRoleModel->getUserRole($project['id'], $user_id) === Role::PROJECT_MANAGER || ! $this->userSession->isAdmin())) {
- throw new AccessForbiddenException();
+ if ($filter['user_id'] != $userID) {
+ if ($this->projectUserRoleModel->getUserRole($project['id'], $userID) !== Role::PROJECT_MANAGER && ! $this->userSession->isAdmin()) {
+ throw new AccessForbiddenException();
+ }
}
}
}
diff --git a/app/Template/custom_filter/index.php b/app/Template/custom_filter/index.php
index 9180deee..a1dc223d 100644
--- a/app/Template/custom_filter/index.php
+++ b/app/Template/custom_filter/index.php
@@ -18,9 +18,9 @@
<?php foreach ($custom_filters as $filter): ?>
<tr>
<td>
- <?php if ($filter['user_id'] == $this->user->getId() || $this->user->hasProjectAccess('CustomFilterController', 'edit', $project['id'])): ?>
+ <?php if (($filter['user_id'] == $this->user->getId() || $this->user->isAdmin() || $this->projectRole->getProjectUserRole($project['id']) == \Kanboard\Core\Security\Role::PROJECT_MANAGER) && $this->user->hasProjectAccess('CustomFilterController', 'edit', $project['id'])): ?>
<div class="dropdown">
- <a href="#" class="dropdown-menu dropdown-menu-link-icon"><i class="fa fa-cog fa-fw"></i><i class="fa fa-caret-down"></i></a>
+ <a href="#" class="dropdown-menu dropdown-menu-link-icon"><i class="fa fa-cog"></i><i class="fa fa-caret-down"></i></a>
<ul>
<li><?= $this->modal->medium('edit', t('Edit'), 'CustomFilterController', 'edit', array('project_id' => $filter['project_id'], 'filter_id' => $filter['id'])) ?></li>
<li><?= $this->modal->confirm('trash-o', t('Remove'), 'CustomFilterController', 'confirm', array('project_id' => $filter['project_id'], 'filter_id' => $filter['id'])) ?></li>