AS1024
/
Kanboard-Prod
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Improve permission checks on custom filters page

This commit is contained in:
Frédéric Guillot 2017-12-01 14:36:03 -08:00
parent d21aed4e3b
commit 69d233eaa0
2 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
app/Controller/CustomFilterController.php
View File

@ -182,10 +182,12 @@ class CustomFilterController extends BaseController
private function checkPermission(array $project, array $filter)
{
$user_id = $this->userSession->getId();
$userID = $this->userSession->getId();
if ($filter['user_id'] != $user_id && ($this->projectUserRoleModel->getUserRole($project['id'], $user_id) === Role::PROJECT_MANAGER || ! $this->userSession->isAdmin())) {
throw new AccessForbiddenException();
if ($filter['user_id'] != $userID) {
if ($this->projectUserRoleModel->getUserRole($project['id'], $userID) !== Role::PROJECT_MANAGER && ! $this->userSession->isAdmin()) {
throw new AccessForbiddenException();
}
}
}
}

4
app/Template/custom_filter/index.php
View File

@ -18,9 +18,9 @@
<?php foreach ($custom_filters as $filter): ?>
<tr>
<td>
<?php if ($filter['user_id'] == $this->user->getId() || $this->user->hasProjectAccess('CustomFilterController', 'edit', $project['id'])): ?>
<?php if (($filter['user_id'] == $this->user->getId() || $this->user->isAdmin() || $this->projectRole->getProjectUserRole($project['id']) == \Kanboard\Core\Security\Role::PROJECT_MANAGER) && $this->user->hasProjectAccess('CustomFilterController', 'edit', $project['id'])): ?>
<div class="dropdown">
<a href="#" class="dropdown-menu dropdown-menu-link-icon"><i class="fa fa-cog fa-fw"></i><i class="fa fa-caret-down"></i></a>
<a href="#" class="dropdown-menu dropdown-menu-link-icon"><i class="fa fa-cog"></i><i class="fa fa-caret-down"></i></a>
<ul>
<li><?= $this->modal->medium('edit', t('Edit'), 'CustomFilterController', 'edit', array('project_id' => $filter['project_id'], 'filter_id' => $filter['id'])) ?></li>
<li><?= $this->modal->confirm('trash-o', t('Remove'), 'CustomFilterController', 'confirm', array('project_id' => $filter['project_id'], 'filter_id' => $filter['id'])) ?></li>