Improve permission checks on custom filters page

2017-12-01 14:36:03 -08:00
parent d21aed4e3b
commit 69d233eaa0
2 changed files with 7 additions and 5 deletions
--- a/app/Controller/CustomFilterController.php
+++ b/app/Controller/CustomFilterController.php
@@ -182,10 +182,12 @@ class CustomFilterController extends BaseController

    private function checkPermission(array $project, array $filter)
    {
-        $user_id = $this->userSession->getId();
+        $userID = $this->userSession->getId();

-        if ($filter['user_id'] != $user_id && ($this->projectUserRoleModel->getUserRole($project['id'], $user_id) === Role::PROJECT_MANAGER || ! $this->userSession->isAdmin())) {
-            throw new AccessForbiddenException();
+        if ($filter['user_id'] != $userID) {
+            if ($this->projectUserRoleModel->getUserRole($project['id'], $userID) !== Role::PROJECT_MANAGER && ! $this->userSession->isAdmin()) {
+                throw new AccessForbiddenException();
+            }
        }
    }
 }