From 484c9614d1ed325448bf3a6e97e00a9f4448dc93 Mon Sep 17 00:00:00 2001
From: Frédéric Guillot <fred@kanboard.net>
Date: Tue, 23 Sep 2014 15:17:04 +0200
Subject: Regular users can remove only their own tasks

---
 app/Controller/Task.php | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'app/Controller/Task.php')

diff --git a/app/Controller/Task.php b/app/Controller/Task.php
index 7bb989c6..28db5c28 100644
--- a/app/Controller/Task.php
+++ b/app/Controller/Task.php
@@ -289,6 +289,10 @@ class Task extends Base
     {
         $task = $this->getTask();
 
+        if (! $this->taskPermission->canRemoveTask($task)) {
+            $this->forbidden();
+        }
+
         if ($this->request->getStringParam('confirmation') === 'yes') {
 
             $this->checkCSRFParam();
-- 
cgit v1.2.3