From 074f6c104f3e49401ef0065540338fc2d4be79f0 Mon Sep 17 00:00:00 2001
From: Frederic Guillot <fred@kanboard.net>
Date: Sat, 23 Sep 2017 18:48:45 -0700
Subject: Avoid people to alter other projects by changing form data

---
 app/Controller/ProjectEditController.php | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'app/Controller/ProjectEditController.php')

diff --git a/app/Controller/ProjectEditController.php b/app/Controller/ProjectEditController.php
index ae39fdf3..dd534508 100644
--- a/app/Controller/ProjectEditController.php
+++ b/app/Controller/ProjectEditController.php
@@ -65,6 +65,8 @@ class ProjectEditController extends BaseController
      */
     private function prepareValues(array $project, array $values)
     {
+        $values['id'] = $project['id'];
+
         if (isset($values['is_private'])) {
             if (! $this->helper->user->hasProjectAccess('ProjectCreationController', 'create', $project['id'])) {
                 unset($values['is_private']);
-- 
cgit v1.2.3