From 2d5621af2f3678ce4959a450663f5657098144bc Mon Sep 17 00:00:00 2001
From: Frederic Guillot <fred@kanboard.net>
Date: Fri, 7 Aug 2015 18:07:19 -0400
Subject: [PATCH] Fix permission issue when changing the url manually

---
 ChangeLog               | 1 +
 app/Controller/Base.php | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 0f181028d..035e838f8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -20,6 +20,7 @@ Bug fixes:
 
 * Wrong template name for subtasks tooltip due to previous refactoring
 * Fix broken url for closed tasks in project view
+* Fix permission issue when changing the url manually
 
 Version 1.0.17
 --------------
diff --git a/app/Controller/Base.php b/app/Controller/Base.php
index f68c47557..bfcbfd2a3 100644
--- a/app/Controller/Base.php
+++ b/app/Controller/Base.php
@@ -269,12 +269,17 @@ abstract class Base extends \Core\Base
      */
     protected function getTask()
     {
+        $project_id = $this->request->getIntegerParam('project_id');
         $task = $this->taskFinder->getDetails($this->request->getIntegerParam('task_id'));
 
         if (empty($task)) {
             $this->notfound();
         }
 
+        if ($project_id !== 0 && $project_id != $task['project_id']) {
+            $this->forbidden();
+        }
+
         return $task;
     }