diff options
| -rw-r--r-- | app/Controller/TaskModificationController.php | 4 | ||||
| -rw-r--r-- | app/Template/task/dropdown.php | 2 |
2 files changed, 5 insertions, 1 deletions
diff --git a/app/Controller/TaskModificationController.php b/app/Controller/TaskModificationController.php index dcf9ec2a..b253428f 100644 --- a/app/Controller/TaskModificationController.php +++ b/app/Controller/TaskModificationController.php @@ -22,6 +22,10 @@ class TaskModificationController extends BaseController if (! $this->helper->projectRole->canUpdateTask($task)) { throw new AccessForbiddenException(t('You are not allowed to update tasks assigned to someone else.')); } + + if (! $this->helper->projectRole->canChangeAssignee($task)) { + throw new AccessForbiddenException(t('You are not allowed to change the assignee.')); + } $this->taskModificationModel->update($values); $this->redirectAfterQuickAction($task); diff --git a/app/Template/task/dropdown.php b/app/Template/task/dropdown.php index 1bad6615..cc97d1a1 100644 --- a/app/Template/task/dropdown.php +++ b/app/Template/task/dropdown.php @@ -2,7 +2,7 @@ <a href="#" class="dropdown-menu dropdown-menu-link-icon"><strong>#<?= $task['id'] ?> <i class="fa fa-caret-down"></i></strong></a> <ul> <?php if ($this->projectRole->canUpdateTask($task)): ?> - <?php if (array_key_exists('owner_id', $task) && $task['owner_id'] != $this->user->getId()): ?> + <?php if ($this->projectRole->canChangeAssignee($task) && array_key_exists('owner_id', $task) && $task['owner_id'] != $this->user->getId()): ?> <li> <?= $this->url->icon('hand-o-right', t('Assign to me'), 'TaskModificationController', 'assignToMe', ['task_id' => $task['id'], 'project_id' => $task['project_id'], 'redirect' => isset($redirect) ? $redirect : '']) ?> </li> |