From 69d233eaa079e54dd9653d7b777c9397d138e000 Mon Sep 17 00:00:00 2001 From: Frédéric Guillot Date: Fri, 1 Dec 2017 14:36:03 -0800 Subject: Improve permission checks on custom filters page --- app/Controller/CustomFilterController.php | 8 +++++--- app/Template/custom_filter/index.php | 4 ++-- 2 files changed, 7 insertions(+), 5 deletions(-) (limited to 'app') diff --git a/app/Controller/CustomFilterController.php b/app/Controller/CustomFilterController.php index 1bf1617e..3e2de713 100644 --- a/app/Controller/CustomFilterController.php +++ b/app/Controller/CustomFilterController.php @@ -182,10 +182,12 @@ class CustomFilterController extends BaseController private function checkPermission(array $project, array $filter) { - $user_id = $this->userSession->getId(); + $userID = $this->userSession->getId(); - if ($filter['user_id'] != $user_id && ($this->projectUserRoleModel->getUserRole($project['id'], $user_id) === Role::PROJECT_MANAGER || ! $this->userSession->isAdmin())) { - throw new AccessForbiddenException(); + if ($filter['user_id'] != $userID) { + if ($this->projectUserRoleModel->getUserRole($project['id'], $userID) !== Role::PROJECT_MANAGER && ! $this->userSession->isAdmin()) { + throw new AccessForbiddenException(); + } } } } diff --git a/app/Template/custom_filter/index.php b/app/Template/custom_filter/index.php index 9180deee..a1dc223d 100644 --- a/app/Template/custom_filter/index.php +++ b/app/Template/custom_filter/index.php @@ -18,9 +18,9 @@ - user->getId() || $this->user->hasProjectAccess('CustomFilterController', 'edit', $project['id'])): ?> + user->getId() || $this->user->isAdmin() || $this->projectRole->getProjectUserRole($project['id']) == \Kanboard\Core\Security\Role::PROJECT_MANAGER) && $this->user->hasProjectAccess('CustomFilterController', 'edit', $project['id'])): ?>
- +