From 9a8c6d6493191a09720a634c58c230dba1cafeeb Mon Sep 17 00:00:00 2001 From: Frederic Guillot Date: Sat, 8 Apr 2017 10:34:34 -0400 Subject: Improve task update restriction --- app/Controller/TaskModificationController.php | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) (limited to 'app/Controller') diff --git a/app/Controller/TaskModificationController.php b/app/Controller/TaskModificationController.php index a3f68a8b..a53c1a38 100644 --- a/app/Controller/TaskModificationController.php +++ b/app/Controller/TaskModificationController.php @@ -40,6 +40,11 @@ class TaskModificationController extends BaseController public function edit(array $values = array(), array $errors = array()) { $task = $this->getTask(); + + if (! $this->helper->projectRole->canUpdateTask($task)) { + throw new AccessForbiddenException(t('You are not allowed to update tasks assigned to someone else.')); + } + $project = $this->projectModel->getById($task['project_id']); if (empty($values)) { @@ -105,7 +110,14 @@ class TaskModificationController extends BaseController protected function updateTask(array &$task, array &$values, array &$errors) { - $this->checkPermission($task, $values); + if (isset($values['owner_id']) && $values['owner_id'] != $task['owner_id'] && !$this->helper->projectRole->canChangeAssignee($task)) { + throw new AccessForbiddenException(t('You are not allowed to change the assignee.')); + } + + if (! $this->helper->projectRole->canUpdateTask($task)) { + throw new AccessForbiddenException(t('You are not allowed to update tasks assigned to someone else.')); + } + $result = $this->taskModificationModel->update($values); if ($result && ! empty($task['external_uri'])) { @@ -122,15 +134,4 @@ class TaskModificationController extends BaseController return $result; } - - protected function checkPermission(array &$task, array &$values) - { - if (isset($values['owner_id']) && $values['owner_id'] != $task['owner_id'] && !$this->helper->projectRole->canChangeAssignee($task)) { - throw new AccessForbiddenException(t('You are not allowed to change the assignee.')); - } - - if (! $this->helper->projectRole->canUpdateTask($task)) { - throw new AccessForbiddenException(t('You are not allowed to update tasks assigned to someone else.')); - } - } } -- cgit v1.2.3