From 484c9614d1ed325448bf3a6e97e00a9f4448dc93 Mon Sep 17 00:00:00 2001
From: Frédéric Guillot <fred@kanboard.net>
Date: Tue, 23 Sep 2014 15:17:04 +0200
Subject: Regular users can remove only their own tasks

---
 app/Controller/Base.php        |  5 +++++
 app/Controller/Task.php        |  4 ++++
 app/Model/TaskPermission.php   | 32 ++++++++++++++++++++++++++++++++
 app/Templates/task_layout.php  |  2 +-
 app/Templates/task_sidebar.php |  4 +++-
 5 files changed, 45 insertions(+), 2 deletions(-)
 create mode 100644 app/Model/TaskPermission.php

(limited to 'app')

diff --git a/app/Controller/Base.php b/app/Controller/Base.php
index e9957bbd..e07aabf7 100644
--- a/app/Controller/Base.php
+++ b/app/Controller/Base.php
@@ -31,6 +31,7 @@ use Model\LastLogin;
  * @property \Model\Task               $task
  * @property \Model\TaskHistory        $taskHistory
  * @property \Model\TaskExport         $taskExport
+ * @property \Model\TaskPermission     $taskPermission
  * @property \Model\TaskValidator      $taskValidator
  * @property \Model\CommentHistory     $commentHistory
  * @property \Model\SubtaskHistory     $subtaskHistory
@@ -242,6 +243,10 @@ abstract class Base
      */
     protected function taskLayout($template, array $params)
     {
+        if (isset($params['task']) && $this->taskPermission->canRemoveTask($params['task']) === false) {
+            $params['hide_remove_menu'] = true;
+        }
+
         $content = $this->template->load($template, $params);
         $params['task_content_for_layout'] = $content;
 
diff --git a/app/Controller/Task.php b/app/Controller/Task.php
index 7bb989c6..28db5c28 100644
--- a/app/Controller/Task.php
+++ b/app/Controller/Task.php
@@ -289,6 +289,10 @@ class Task extends Base
     {
         $task = $this->getTask();
 
+        if (! $this->taskPermission->canRemoveTask($task)) {
+            $this->forbidden();
+        }
+
         if ($this->request->getStringParam('confirmation') === 'yes') {
 
             $this->checkCSRFParam();
diff --git a/app/Model/TaskPermission.php b/app/Model/TaskPermission.php
new file mode 100644
index 00000000..2ab154f4
--- /dev/null
+++ b/app/Model/TaskPermission.php
@@ -0,0 +1,32 @@
+<?php
+
+namespace Model;
+
+/**
+ * Task permission model
+ *
+ * @package  model
+ * @author   Frederic Guillot
+ */
+class TaskPermission extends Base
+{
+    /**
+     * Return true if the user can remove a task
+     *
+     * Regular users can't remove tasks from other people
+     *
+     * @public
+     * @return boolean
+     */
+    public function canRemoveTask(array $task)
+    {
+        if ($this->acl->isAdminUser()) {
+            return true;
+        }
+        else if (isset($task['creator_id']) && $task['creator_id'] == $this->acl->getUserId()) {
+            return true;
+        }
+
+        return false;
+    }
+}
diff --git a/app/Templates/task_layout.php b/app/Templates/task_layout.php
index 96c45608..ca0a413f 100644
--- a/app/Templates/task_layout.php
+++ b/app/Templates/task_layout.php
@@ -7,7 +7,7 @@
     </div>
     <section class="task-show" id="task-section">
 
-        <?= Helper\template('task_sidebar', array('task' => $task)) ?>
+        <?= Helper\template('task_sidebar', array('task' => $task, 'hide_remove_menu' => isset($hide_remove_menu))) ?>
 
         <div class="task-show-main">
             <?= $task_content_for_layout ?>
diff --git a/app/Templates/task_sidebar.php b/app/Templates/task_sidebar.php
index 4d363fec..4cffd5fa 100644
--- a/app/Templates/task_sidebar.php
+++ b/app/Templates/task_sidebar.php
@@ -18,7 +18,9 @@
                     <a href="?controller=task&amp;action=open&amp;task_id=<?= $task['id'] ?>"><?= t('Open this task') ?></a>
                 <?php endif ?>
             </li>
-            <li><a href="?controller=task&amp;action=remove&amp;task_id=<?= $task['id'] ?>"><?= t('Remove') ?></a></li>
+            <?php if (! $hide_remove_menu): ?>
+                <li><a href="?controller=task&amp;action=remove&amp;task_id=<?= $task['id'] ?>"><?= t('Remove') ?></a></li>
+            <?php endif ?>
         </ul>
     </div>
 </div>
\ No newline at end of file
-- 
cgit v1.2.3