1 files changed, 20 insertions, 1 deletions

diff --git a/app/Controller/TaskModificationController.php b/app/Controller/TaskModificationController.php
index 520bf70e..338ed540 100644
--- a/app/Controller/TaskModificationController.php
+++ b/app/Controller/TaskModificationController.php
@@ -22,7 +22,11 @@ class TaskModificationController extends BaseController
     public function start()
     {
         $task = $this->getTask();
-        $this->taskModificationModel->update(array('id' => $task['id'], 'date_started' => time()));
+        $values = array('id' => $task['id'], 'date_started' => time());
+        if (! $this->helper->projectRole->canUpdateTask($task)) {
+            throw new AccessForbiddenException(t('You are not allowed to update tasks assigned to someone else.'));
+        }
+        $this->taskModificationModel->update($values);
         $this->response->redirect($this->helper->url->to('TaskViewController', 'show', array('project_id' => $task['project_id'], 'task_id' => $task['id'])));
     }
 
@@ -38,6 +42,11 @@ class TaskModificationController extends BaseController
     public function edit(array $values = array(), array $errors = array())
     {
         $task = $this->getTask();
+
+        if (! $this->helper->projectRole->canUpdateTask($task)) {
+            throw new AccessForbiddenException(t('You are not allowed to update tasks assigned to someone else.'));
+        }
+
         $project = $this->projectModel->getById($task['project_id']);
 
         if (empty($values)) {
@@ -89,6 +98,8 @@ class TaskModificationController extends BaseController
     {
         $task = $this->getTask();
         $values = $this->request->getValues();
+        $values['id'] = $task['id'];
+        $values['project_id'] = $task['project_id'];
 
         list($valid, $errors) = $this->taskValidator->validateModification($values);
 
@@ -103,6 +114,14 @@ class TaskModificationController extends BaseController
 
     protected function updateTask(array &$task, array &$values, array &$errors)
     {
+        if (isset($values['owner_id']) && $values['owner_id'] != $task['owner_id'] && !$this->helper->projectRole->canChangeAssignee($task)) {
+            throw new AccessForbiddenException(t('You are not allowed to change the assignee.'));
+        }
+
+        if (! $this->helper->projectRole->canUpdateTask($task)) {
+            throw new AccessForbiddenException(t('You are not allowed to update tasks assigned to someone else.'));
+        }
+
         $result = $this->taskModificationModel->update($values);
 
         if ($result && ! empty($task['external_uri'])) {