AS1024/Kanboard-Prod
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Improve task update restriction

Browse Source
This commit is contained in:
Frederic Guillot
2017-04-08 10:34:34 -04:00
parent 003c03a4e6
commit 9a8c6d6493
3 changed files with 24 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
app/Controller/TaskModificationController.php
View File

@@ -40,6 +40,11 @@ class TaskModificationController extends BaseController
public function edit(array $values = array(), array $errors = array())
{
$task = $this->getTask();
if (! $this->helper->projectRole->canUpdateTask($task)) {
throw new AccessForbiddenException(t('You are not allowed to update tasks assigned to someone else.'));
}
$project = $this->projectModel->getById($task['project_id']);
if (empty($values)) {
@@ -105,7 +110,14 @@ class TaskModificationController extends BaseController
protected function updateTask(array &$task, array &$values, array &$errors)
{
$this->checkPermission($task, $values);
if (isset($values['owner_id']) && $values['owner_id'] != $task['owner_id'] && !$this->helper->projectRole->canChangeAssignee($task)) {
throw new AccessForbiddenException(t('You are not allowed to change the assignee.'));
}
if (! $this->helper->projectRole->canUpdateTask($task)) {
throw new AccessForbiddenException(t('You are not allowed to update tasks assigned to someone else.'));
}
$result = $this->taskModificationModel->update($values);
if ($result && ! empty($task['external_uri'])) {
@@ -122,15 +134,4 @@ class TaskModificationController extends BaseController
return $result;
}
protected function checkPermission(array &$task, array &$values)
{
if (isset($values['owner_id']) && $values['owner_id'] != $task['owner_id'] && !$this->helper->projectRole->canChangeAssignee($task)) {
throw new AccessForbiddenException(t('You are not allowed to change the assignee.'));
}
if (! $this->helper->projectRole->canUpdateTask($task)) {
throw new AccessForbiddenException(t('You are not allowed to update tasks assigned to someone else.'));
}
}
}