diff options
Diffstat (limited to 'app/Middleware/ProjectAuthorizationMiddleware.php')
| -rw-r--r-- | app/Middleware/ProjectAuthorizationMiddleware.php | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/app/Middleware/ProjectAuthorizationMiddleware.php b/app/Middleware/ProjectAuthorizationMiddleware.php new file mode 100644 index 00000000..6000ee0e --- /dev/null +++ b/app/Middleware/ProjectAuthorizationMiddleware.php @@ -0,0 +1,34 @@ +<?php + +namespace Kanboard\Middleware; + +use Kanboard\Core\Controller\AccessForbiddenException; +use Kanboard\Core\Controller\BaseMiddleware; + +/** + * Class ProjectAuthorizationMiddleware + * + * @package Kanboard\Middleware + * @author Frederic Guillot + */ +class ProjectAuthorizationMiddleware extends BaseMiddleware +{ + /** + * Execute middleware + */ + public function execute() + { + $project_id = $this->request->getIntegerParam('project_id'); + $task_id = $this->request->getIntegerParam('task_id'); + + if ($task_id > 0 && $project_id === 0) { + $project_id = $this->taskFinder->getProjectId($task_id); + } + + if ($project_id > 0 && ! $this->helper->user->hasProjectAccess($this->router->getController(), $this->router->getAction(), $project_id)) { + throw new AccessForbiddenException(); + } + + $this->next(); + } +} |