4 files changed, 35 insertions, 7 deletions

diff --git a/app/Controller/TaskModificationController.php b/app/Controller/TaskModificationController.php
index 520bf70e..d2b02a80 100644
--- a/app/Controller/TaskModificationController.php
+++ b/app/Controller/TaskModificationController.php
@@ -103,6 +103,10 @@ class TaskModificationController extends BaseController
 
     protected function updateTask(array &$task, array &$values, array &$errors)
     {
+        if (isset($values['owner_id']) && $values['owner_id'] != $task['owner_id'] && ! $this->helper->projectRole->canChangeAssignee($task)) {
+            throw new AccessForbiddenException(t('You are not allowed to change the assignee'));
+        }
+
         $result = $this->taskModificationModel->update($values);
 
         if ($result && ! empty($task['external_uri'])) {
diff --git a/app/Helper/ProjectRoleHelper.php b/app/Helper/ProjectRoleHelper.php
index fd7a690b..508dc9e0 100644
--- a/app/Helper/ProjectRoleHelper.php
+++ b/app/Helper/ProjectRoleHelper.php
@@ -172,6 +172,24 @@ class ProjectRoleHelper extends Base
     }
 
     /**
+     * Return true if the user can change assignee
+     *
+     * @public
+     * @param  array $task
+     * @return bool
+     */
+    public function canChangeAssignee(array $task)
+    {
+        $role = $this->getProjectUserRole($task['project_id']);
+
+        if ($this->hasRestriction($task['project_id'], $role, ProjectRoleRestrictionModel::RULE_TASK_CHANGE_ASSIGNEE)) {
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
      * Check project access
      *
      * @param  string  $controller
diff --git a/app/Helper/TaskHelper.php b/app/Helper/TaskHelper.php
index 69520c03..334f4f33 100644
--- a/app/Helper/TaskHelper.php
+++ b/app/Helper/TaskHelper.php
@@ -93,6 +93,10 @@ class TaskHelper extends Base
 
     public function renderAssigneeField(array $users, array $values, array $errors = array(), array $attributes = array())
     {
+        if (isset($values['project_id']) && ! $this->helper->projectRole->canChangeAssignee($values)) {
+            return '';
+        }
+
         $attributes = array_merge(array('tabindex="3"'), $attributes);
 
         $html = $this->helper->form->label(t('Assignee'), 'owner_id');
diff --git a/app/Model/ProjectRoleRestrictionModel.php b/app/Model/ProjectRoleRestrictionModel.php
index b8f00c17..714b2a65 100644
--- a/app/Model/ProjectRoleRestrictionModel.php
+++ b/app/Model/ProjectRoleRestrictionModel.php
@@ -14,10 +14,11 @@ class ProjectRoleRestrictionModel extends Base
 {
     const TABLE = 'project_role_has_restrictions';
 
-    const RULE_TASK_CREATION    = 'task_creation';
+    const RULE_TASK_CREATION = 'task_creation';
     const RULE_TASK_SUPPRESSION = 'task_remove';
-    const RULE_TASK_OPEN_CLOSE  = 'task_open_close';
-    const RULE_TASK_MOVE        = 'task_move';
+    const RULE_TASK_OPEN_CLOSE = 'task_open_close';
+    const RULE_TASK_MOVE = 'task_move';
+    const RULE_TASK_CHANGE_ASSIGNEE = 'task_change_assignee';
 
     /**
      * Get rules
@@ -27,10 +28,11 @@ class ProjectRoleRestrictionModel extends Base
     public function getRules()
     {
         return array(
-            self::RULE_TASK_CREATION    => t('Task creation is not permitted'),
-            self::RULE_TASK_SUPPRESSION => t('Task suppression is not permitted'),
-            self::RULE_TASK_OPEN_CLOSE  => t('Closing or opening a task is not permitted'),
-            self::RULE_TASK_MOVE        => t('Moving a task is not permitted'),
+            self::RULE_TASK_CREATION        => t('Task creation is not permitted'),
+            self::RULE_TASK_SUPPRESSION     => t('Task suppression is not permitted'),
+            self::RULE_TASK_OPEN_CLOSE      => t('Closing or opening a task is not permitted'),
+            self::RULE_TASK_MOVE            => t('Moving a task is not permitted'),
+            self::RULE_TASK_CHANGE_ASSIGNEE => t('Changing assignee is not permitted'),
         );
     }