Allow urls without project_id

app/Controller/Base.php

@@ -165,16 +165,17 @@ abstract class Base
         $this->container['dispatcher']->dispatch('session.bootstrap', new Event);
 
         if (! $this->acl->isPublicAction($controller, $action)) {
-            $this->handleAuthenticatedUser($controller, $action);
+            $this->handleAuthentication($controller, $action);
+            $this->handleAuthorization($controller, $action);
         }
     }
 
     /**
-     * Check page access and authentication
+     * Check authentication
      *
      * @access public
      */
-    public function handleAuthenticatedUser($controller, $action)
+    public function handleAuthentication($controller, $action)
     {
         if (! $this->authentication->isAuthenticated()) {
 
@@ -184,8 +185,24 @@ abstract class Base
 
             $this->response->redirect('?controller=user&action=login&redirect_query='.urlencode($this->request->getQueryString()));
         }
+    }
 
-        if (! $this->acl->isAllowed($controller, $action, $this->request->getIntegerParam('project_id', 0))) {
+    /**
+     * Check page access and authorization
+     *
+     * @access public
+     */
+    public function handleAuthorization($controller, $action)
+    {
+        $project_id = $this->request->getIntegerParam('project_id');
+        $task_id = $this->request->getIntegerParam('task_id');
+        
+        // Allow urls without "project_id"
+        if ($task_id > 0 && $project_id === 0) {
+            $project_id = $this->taskFinder->getProjectId($task_id);
+        }
+
+        if (! $this->acl->isAllowed($controller, $action, $project_id)) {
             $this->forbidden();
         }
     }
@@ -287,7 +304,7 @@ abstract class Base
     {
         $task = $this->taskFinder->getDetails($this->request->getIntegerParam('task_id'));
 
-        if (! $task || $task['project_id'] != $this->request->getIntegerParam('project_id')) {
+        if (! $task) {
             $this->notfound();
         }