AS1024
/
Kanboard-Prod
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add project restriction to block task edition

This commit is contained in:
Frederic Guillot 2017-04-07 21:46:36 -04:00
parent 481e767d35
commit 003c03a4e6
6 changed files with 44 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
app/Controller/TaskModificationController.php
View File

@ -22,7 +22,9 @@ class TaskModificationController extends BaseController
public function start()
{
$task = $this->getTask();
$this->taskModificationModel->update(array('id' => $task['id'], 'date_started' => time()));
$values = array('id' => $task['id'], 'date_started' => time());
$this->checkPermission($task, $values);
$this->taskModificationModel->update($values);
$this->response->redirect($this->helper->url->to('TaskViewController', 'show', array('project_id' => $task['project_id'], 'task_id' => $task['id'])));
}
@ -103,10 +105,7 @@ class TaskModificationController extends BaseController
protected function updateTask(array &$task, array &$values, array &$errors)
{
if (isset($values['owner_id']) && $values['owner_id'] != $task['owner_id'] && ! $this->helper->projectRole->canChangeAssignee($task)) {
throw new AccessForbiddenException(t('You are not allowed to change the assignee'));
}
$this->checkPermission($task, $values);
$result = $this->taskModificationModel->update($values);
if ($result && ! empty($task['external_uri'])) {
@ -123,4 +122,15 @@ class TaskModificationController extends BaseController
return $result;
}
protected function checkPermission(array &$task, array &$values)
{
if (isset($values['owner_id']) && $values['owner_id'] != $task['owner_id'] && !$this->helper->projectRole->canChangeAssignee($task)) {
throw new AccessForbiddenException(t('You are not allowed to change the assignee.'));
}
if (! $this->helper->projectRole->canUpdateTask($task)) {
throw new AccessForbiddenException(t('You are not allowed to update tasks assigned to someone else.'));
}
}
}

18
app/Helper/ProjectRoleHelper.php
View File

@ -189,6 +189,24 @@ class ProjectRoleHelper extends Base
return true;
}
/**
* Return true if the user can update a task
*
* @public
* @param array $task
* @return bool
*/
public function canUpdateTask(array $task)
{
$role = $this->getProjectUserRole($task['project_id']);
if ($task['owner_id'] != $this->userSession->getId() && $this->hasRestriction($task['project_id'], $role, ProjectRoleRestrictionModel::RULE_TASK_UPDATE_ASSIGNED)) {
return false;
}
return true;
}
/**
* Check project access
*

2
app/Model/ProjectRoleRestrictionModel.php
View File

@ -19,6 +19,7 @@ class ProjectRoleRestrictionModel extends Base
const RULE_TASK_OPEN_CLOSE = 'task_open_close';
const RULE_TASK_MOVE = 'task_move';
const RULE_TASK_CHANGE_ASSIGNEE = 'task_change_assignee';
const RULE_TASK_UPDATE_ASSIGNED = 'task_update_assigned';
/**
* Get rules
@ -33,6 +34,7 @@ class ProjectRoleRestrictionModel extends Base
self::RULE_TASK_OPEN_CLOSE => t('Closing or opening a task is not permitted'),
self::RULE_TASK_MOVE => t('Moving a task is not permitted'),
self::RULE_TASK_CHANGE_ASSIGNEE => t('Changing assignee is not permitted'),
self::RULE_TASK_UPDATE_ASSIGNED => t('Update only assigned tasks'),
);
}

4
assets/js/app.min.js vendored
View File

File diff suppressed because one or more lines are too long

6
assets/js/core/modal.js
View File

@ -37,6 +37,12 @@
} else {
destroy();
}
}).error(function (response) {
KB.trigger('modal.stop');
if (response.hasOwnProperty('message')) {
window.alert(response.message);
}
});
}
}

2
tests/units/Model/ProjectRoleRestrictionModelTest.php
View File

@ -90,7 +90,7 @@ class ProjectRoleRestrictionModelTest extends Base
$projectRoleRestrictionModel = new ProjectRoleRestrictionModel($this->container);
$rules = $projectRoleRestrictionModel->getRules();
$this->assertCount(5, $rules);
$this->assertCount(6, $rules);
$this->assertArrayHasKey(ProjectRoleRestrictionModel::RULE_TASK_OPEN_CLOSE, $rules);
}
}