Regular users can remove only their own tasks

2014-09-23 15:17:04 +02:00
parent 0bd0beba41
commit 484c9614d1
6 changed files with 145 additions and 2 deletions
--- a/app/Controller/Base.php
+++ b/app/Controller/Base.php
@@ -31,6 +31,7 @@ use Model\LastLogin;
 * @property \Model\Task               $task
 * @property \Model\TaskHistory        $taskHistory
 * @property \Model\TaskExport         $taskExport
+ * @property \Model\TaskPermission     $taskPermission
 * @property \Model\TaskValidator      $taskValidator
 * @property \Model\CommentHistory     $commentHistory
 * @property \Model\SubtaskHistory     $subtaskHistory
@@ -242,6 +243,10 @@ abstract class Base
     */
    protected function taskLayout($template, array $params)
    {
+        if (isset($params['task']) && $this->taskPermission->canRemoveTask($params['task']) === false) {
+            $params['hide_remove_menu'] = true;
+        }
+
        $content = $this->template->load($template, $params);
        $params['task_content_for_layout'] = $content;

--- a/app/Controller/Task.php
+++ b/app/Controller/Task.php
@@ -289,6 +289,10 @@ class Task extends Base
    {
        $task = $this->getTask();

+        if (! $this->taskPermission->canRemoveTask($task)) {
+            $this->forbidden();
+        }
+
        if ($this->request->getStringParam('confirmation') === 'yes') {

            $this->checkCSRFParam();
--- a/app/Model/TaskPermission.php
+++ b/app/Model/TaskPermission.php
@@ -0,0 +1,32 @@
+<?php
+
+namespace Model;
+
+/**
+ * Task permission model
+ *
+ * @package  model
+ * @author   Frederic Guillot
+ */
+class TaskPermission extends Base
+{
+    /**
+     * Return true if the user can remove a task
+     *
+     * Regular users can't remove tasks from other people
+     *
+     * @public
+     * @return boolean
+     */
+    public function canRemoveTask(array $task)
+    {
+        if ($this->acl->isAdminUser()) {
+            return true;
+        }
+        else if (isset($task['creator_id']) && $task['creator_id'] == $this->acl->getUserId()) {
+            return true;
+        }
+
+        return false;
+    }
+}
--- a/app/Templates/task_layout.php
+++ b/app/Templates/task_layout.php
@@ -7,7 +7,7 @@
    </div>
    <section class="task-show" id="task-section">

-        <?= Helper\template('task_sidebar', array('task' => $task)) ?>
+        <?= Helper\template('task_sidebar', array('task' => $task, 'hide_remove_menu' => isset($hide_remove_menu))) ?>

        <div class="task-show-main">
            <?= $task_content_for_layout ?>
--- a/app/Templates/task_sidebar.php
+++ b/app/Templates/task_sidebar.php
@@ -18,7 +18,9 @@
                    <a href="?controller=task&amp;action=open&amp;task_id=<?= $task['id'] ?>"><?= t('Open this task') ?></a>
                <?php endif ?>
            </li>
-            <li><a href="?controller=task&amp;action=remove&amp;task_id=<?= $task['id'] ?>"><?= t('Remove') ?></a></li>
+            <?php if (! $hide_remove_menu): ?>
+                <li><a href="?controller=task&amp;action=remove&amp;task_id=<?= $task['id'] ?>"><?= t('Remove') ?></a></li>
+            <?php endif ?>
        </ul>
    </div>
 </div>