2 files changed, 49 insertions, 1 deletions

diff --git a/app/Controller/Base.php b/app/Controller/Base.php
index 5027cf31..5b99e6b8 100644
--- a/app/Controller/Base.php
+++ b/app/Controller/Base.php
@@ -253,6 +253,20 @@ abstract class Base
     }
 
     /**
+     * Check if the current user is owner of the given project
+     *
+     * @access protected
+     * @param  integer   $project_id  Project id
+     */
+    protected function checkProjectOwnerPermissions($project_id)
+    {
+        if (! $this->acl->isAdminUser() &&
+            ! ($this->acl->isRegularUser() && $this->projectPermission->isOwner($project_id, $this->acl->getUserId()))) {
+            $this->forbidden();
+        }
+    }
+
+    /**
      * Redirection when there is no project in the database
      *
      * @access protected
@@ -299,6 +313,7 @@ abstract class Base
         $params['project_content_for_layout'] = $content;
         $params['title'] = $params['project']['name'] === $params['title'] ? $params['title'] : $params['project']['name'].' > '.$params['title'];
         $params['board_selector'] = $this->projectPermission->getAllowedProjects($this->acl->getUserId());
+        $params['is_owner'] = $this->projectPermission->isOwner($params['project']['id'], $this->acl->getUserId());
 
         return $this->template->layout('project/layout', $params);
     }
diff --git a/app/Controller/Project.php b/app/Controller/Project.php
index 83c81cae..d407c17e 100644
--- a/app/Controller/Project.php
+++ b/app/Controller/Project.php
@@ -244,11 +244,43 @@ class Project extends Base
     public function allow()
     {
         $values = $this->request->getValues();
+        $this->checkProjectOwnerPermissions($values['project_id']);
         list($valid,) = $this->projectPermission->validateUserModification($values);
 
         if ($valid) {
 
-            if ($this->projectPermission->allowUser($values['project_id'], $values['user_id'])) {
+            if ($this->projectPermission->allowUser($values['project_id'], $values['user_id'], $values['is_owner'])) {
+                $this->session->flash(t('Project updated successfully.'));
+            }
+            else {
+                $this->session->flashError(t('Unable to update this project.'));
+            }
+        }
+
+        $this->response->redirect('?controller=project&action=users&project_id='.$values['project_id']);
+    }
+
+    /**
+     * Set ownership for a specific user (admin only)
+     *
+     * @access public
+     */
+    public function setOwner()
+    {
+        $this->checkCSRFParam();
+
+        $values = array(
+            'project_id' => $this->request->getIntegerParam('project_id'),
+            'user_id' => $this->request->getIntegerParam('user_id'),
+            'is_owner' => $this->request->getIntegerParam('is_owner'),
+        );
+
+        $this->checkProjectOwnerPermissions($values['project_id']);
+        list($valid,) = $this->projectPermission->validateUserModification($values);
+
+        if ($valid) {
+
+            if ($this->projectPermission->setOwner($values['project_id'], $values['user_id'], $values['is_owner'])) {
                 $this->session->flash(t('Project updated successfully.'));
             }
             else {
@@ -273,6 +305,7 @@ class Project extends Base
             'user_id' => $this->request->getIntegerParam('user_id'),
         );
 
+        $this->checkProjectOwnerPermissions($values['project_id']);
         list($valid,) = $this->projectPermission->validateUserModification($values);
 
         if ($valid) {