From a0227cad69aff9486fba1d7b2a19e6da97450100 Mon Sep 17 00:00:00 2001
From: Frederic Guillot <fred@kanboard.net>
Date: Sat, 10 Sep 2016 23:12:38 -0400
Subject: Define only what is allowed for column restrictions

---
 app/Controller/AppController.php                | 17 +++++++++--------
 app/Controller/BoardAjaxController.php          |  2 +-
 app/Core/Controller/Runner.php                  |  2 +-
 app/Helper/BoardHelper.php                      |  2 +-
 app/Middleware/PostAuthenticationMiddleware.php |  4 ++--
 app/Model/ColumnMoveRestrictionModel.php        |  2 +-
 app/Template/column_move_restriction/create.php |  2 +-
 app/Template/project_role/show.php              |  7 ++-----
 8 files changed, 18 insertions(+), 20 deletions(-)

(limited to 'app')

diff --git a/app/Controller/AppController.php b/app/Controller/AppController.php
index 45cf39a5..34b9c8cc 100644
--- a/app/Controller/AppController.php
+++ b/app/Controller/AppController.php
@@ -16,18 +16,19 @@ class AppController extends Base
      * Forbidden page
      *
      * @access public
-     * @param  bool $withoutLayout
+     * @param  bool   $withoutLayout
+     * @param  string $message
      */
-    public function accessForbidden($withoutLayout = false)
+    public function accessForbidden($withoutLayout = false, $message = '')
     {
         if ($this->request->isAjax()) {
-            $this->response->json(array('message' => 'Access Forbidden'), 403);
+            $this->response->json(array('message' => $message ?: t('Access Forbidden')), 403);
+        } else {
+            $this->response->html($this->helper->layout->app('app/forbidden', array(
+                'title' => t('Access Forbidden'),
+                'no_layout' => $withoutLayout,
+            )));
         }
-
-        $this->response->html($this->helper->layout->app('app/forbidden', array(
-            'title' => t('Access Forbidden'),
-            'no_layout' => $withoutLayout,
-        )));
     }
 
     /**
diff --git a/app/Controller/BoardAjaxController.php b/app/Controller/BoardAjaxController.php
index 5e771fd6..cc3b846e 100644
--- a/app/Controller/BoardAjaxController.php
+++ b/app/Controller/BoardAjaxController.php
@@ -36,7 +36,7 @@ class BoardAjaxController extends BaseController
         );
 
         if (! $canMoveTask) {
-            throw new AccessForbiddenException("You don't have the permission to move this task");
+            throw new AccessForbiddenException(e("You don't have the permission to move this task"));
         }
 
         $result =$this->taskPositionModel->movePosition(
diff --git a/app/Core/Controller/Runner.php b/app/Core/Controller/Runner.php
index 8353cf69..48346390 100644
--- a/app/Core/Controller/Runner.php
+++ b/app/Core/Controller/Runner.php
@@ -35,7 +35,7 @@ class Runner extends Base
             $controllerObject->notFound($e->hasLayout());
         } catch (AccessForbiddenException $e) {
             $controllerObject = new AppController($this->container);
-            $controllerObject->accessForbidden($e->hasLayout());
+            $controllerObject->accessForbidden($e->hasLayout(), $e->getMessage());
         }
     }
 
diff --git a/app/Helper/BoardHelper.php b/app/Helper/BoardHelper.php
index 394d80b7..9e8e78ac 100644
--- a/app/Helper/BoardHelper.php
+++ b/app/Helper/BoardHelper.php
@@ -38,7 +38,7 @@ class BoardHelper extends Base
 
             if ($this->role->isCustomProjectRole($role)) {
                 $srcColumnIds = $this->columnMoveRestrictionCacheDecorator->getAllSrcColumns($task['project_id'], $role);
-                return ! isset($srcColumnIds[$task['column_id']]);
+                return isset($srcColumnIds[$task['column_id']]);
             }
 
             return true;
diff --git a/app/Middleware/PostAuthenticationMiddleware.php b/app/Middleware/PostAuthenticationMiddleware.php
index f7eccbce..8ad1f1a3 100644
--- a/app/Middleware/PostAuthenticationMiddleware.php
+++ b/app/Middleware/PostAuthenticationMiddleware.php
@@ -26,9 +26,9 @@ class PostAuthenticationMiddleware extends BaseMiddleware
 
             if ($this->request->isAjax()) {
                 $this->response->text('Not Authorized', 401);
+            } else {
+                $this->response->redirect($this->helper->url->to('TwoFactorController', 'code'));
             }
-
-            $this->response->redirect($this->helper->url->to('TwoFactorController', 'code'));
         }
 
         $this->next();
diff --git a/app/Model/ColumnMoveRestrictionModel.php b/app/Model/ColumnMoveRestrictionModel.php
index aae1a391..27c9afab 100644
--- a/app/Model/ColumnMoveRestrictionModel.php
+++ b/app/Model/ColumnMoveRestrictionModel.php
@@ -25,7 +25,7 @@ class ColumnMoveRestrictionModel extends Base
      */
     public function isAllowed($project_id, $role, $src_column_id, $dst_column_id)
     {
-        return ! $this->db->table(self::TABLE)
+        return $this->db->table(self::TABLE)
             ->left(ProjectRoleModel::TABLE, 'pr', 'role_id', self::TABLE, 'role_id')
             ->eq(self::TABLE.'.project_id', $project_id)
             ->eq(self::TABLE.'.src_column_id', $src_column_id)
diff --git a/app/Template/column_move_restriction/create.php b/app/Template/column_move_restriction/create.php
index 69a75ce0..8d161c3e 100644
--- a/app/Template/column_move_restriction/create.php
+++ b/app/Template/column_move_restriction/create.php
@@ -19,6 +19,6 @@
             <?= $this->url->link(t('cancel'), 'ProjectRoleController', 'show', array(), false, 'close-popover') ?>
         </div>
 
-        <p class="alert alert-info"><?= t('People belonging to this role won\'t be able to move tasks between the source and the destination column.') ?></p>
+        <p class="alert alert-info"><?= t('People belonging to this role will be able to move tasks only between the source and the destination column.') ?></p>
     </form>
 </section>
diff --git a/app/Template/project_role/show.php b/app/Template/project_role/show.php
index 2114a1c9..5fbd413b 100644
--- a/app/Template/project_role/show.php
+++ b/app/Template/project_role/show.php
@@ -16,7 +16,7 @@
         <tr>
             <th>
                 <div class="dropdown">
-                    <a href="#" class="dropdown-menu"><?= t('Column restrictions for the role "%s"', $role['role']) ?> <i class="fa fa-caret-down"></i></a>
+                    <a href="#" class="dropdown-menu"><?= t('Restrictions for the role "%s"', $role['role']) ?> <i class="fa fa-caret-down"></i></a>
                     <ul>
                         <li>
                             <i class="fa fa-plus fa-fw" aria-hidden="true"></i>
@@ -41,10 +41,7 @@
             <?php foreach ($role['restrictions'] as $restriction): ?>
                 <tr>
                     <td>
-                        <i class="fa fa-ban fa-fw" aria-hidden="true"></i>
-                        <?= $this->text->e($restriction['src_column_title']) ?>
-                        <i class="fa fa-arrow-right fa-fw" aria-hidden="true"></i>
-                        <?= $this->text->e($restriction['dst_column_title']) ?>
+                        <?= t('Moving task from the column "%s" to "%s" is permitted', $restriction['src_column_title'], $restriction['dst_column_title']) ?>
                     </td>
                     <td>
                         <i class="fa fa-trash-o fa-fw" aria-hidden="true"></i>
-- 
cgit v1.2.3