diff options
| -rw-r--r-- | app/Controller/Base.php | 27 | ||||
| -rw-r--r-- | app/Model/TaskFinder.php | 12 |
2 files changed, 34 insertions, 5 deletions
diff --git a/app/Controller/Base.php b/app/Controller/Base.php index e0f99d18..232e09bf 100644 --- a/app/Controller/Base.php +++ b/app/Controller/Base.php @@ -165,16 +165,17 @@ abstract class Base $this->container['dispatcher']->dispatch('session.bootstrap', new Event); if (! $this->acl->isPublicAction($controller, $action)) { - $this->handleAuthenticatedUser($controller, $action); + $this->handleAuthentication($controller, $action); + $this->handleAuthorization($controller, $action); } } /** - * Check page access and authentication + * Check authentication * * @access public */ - public function handleAuthenticatedUser($controller, $action) + public function handleAuthentication($controller, $action) { if (! $this->authentication->isAuthenticated()) { @@ -184,8 +185,24 @@ abstract class Base $this->response->redirect('?controller=user&action=login&redirect_query='.urlencode($this->request->getQueryString())); } + } + + /** + * Check page access and authorization + * + * @access public + */ + public function handleAuthorization($controller, $action) + { + $project_id = $this->request->getIntegerParam('project_id'); + $task_id = $this->request->getIntegerParam('task_id'); + + // Allow urls without "project_id" + if ($task_id > 0 && $project_id === 0) { + $project_id = $this->taskFinder->getProjectId($task_id); + } - if (! $this->acl->isAllowed($controller, $action, $this->request->getIntegerParam('project_id', 0))) { + if (! $this->acl->isAllowed($controller, $action, $project_id)) { $this->forbidden(); } } @@ -287,7 +304,7 @@ abstract class Base { $task = $this->taskFinder->getDetails($this->request->getIntegerParam('task_id')); - if (! $task || $task['project_id'] != $this->request->getIntegerParam('project_id')) { + if (! $task) { $this->notfound(); } diff --git a/app/Model/TaskFinder.php b/app/Model/TaskFinder.php index 6a19eeec..42f2f273 100644 --- a/app/Model/TaskFinder.php +++ b/app/Model/TaskFinder.php @@ -173,6 +173,18 @@ class TaskFinder extends Base } /** + * Get project id for a given task + * + * @access public + * @param integer $task_id Task id + * @return integer + */ + public function getProjectId($task_id) + { + return (int) $this->db->table(Task::TABLE)->eq('id', $task_id)->findOneColumn('project_id') ?: 0; + } + + /** * Fetch a task by the id * * @access public |