From c20be8f5fa26e54005a90c645e80b11481a65053 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <fred@kanboard.net>
Date: Mon, 29 May 2023 18:12:24 -0700
Subject: [PATCH] Add missing project permission check for Move/Duplicate task
 to another project

---
 app/Controller/TaskDuplicationController.php | 26 ++++++++++++++++----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/app/Controller/TaskDuplicationController.php b/app/Controller/TaskDuplicationController.php
index 6ebb6d592..a700d0003 100644
--- a/app/Controller/TaskDuplicationController.php
+++ b/app/Controller/TaskDuplicationController.php
@@ -2,6 +2,8 @@
 
 namespace Kanboard\Controller;
 
+use Kanboard\Core\Controller\AccessForbiddenException;
+
 /**
  * Task Duplication controller
  *
@@ -50,14 +52,20 @@ class TaskDuplicationController extends BaseController
             $values = $this->request->getValues();
             list($valid, ) = $this->taskValidator->validateProjectModification($values);
 
-            if ($valid && $this->taskProjectMoveModel->moveToProject($task['id'],
+            if ($valid) {
+                if (! $this->projectPermissionModel->isUserAllowed($values['project_id'], $this->userSession->getId())) {
+                    throw new AccessForbiddenException();
+                }
+
+                if ($this->taskProjectMoveModel->moveToProject($task['id'],
                                                                 $values['project_id'],
                                                                 $values['swimlane_id'],
                                                                 $values['column_id'],
                                                                 $values['category_id'],
                                                                 $values['owner_id'])) {
-                $this->flash->success(t('Task updated successfully.'));
-                return $this->response->redirect($this->helper->url->to('TaskViewController', 'show', array('task_id' => $task['id'])));
+                    $this->flash->success(t('Task updated successfully.'));
+                    return $this->response->redirect($this->helper->url->to('TaskViewController', 'show', array('task_id' => $task['id'])));
+                }
             }
 
             $this->flash->failure(t('Unable to update your task.'));
@@ -80,9 +88,17 @@ class TaskDuplicationController extends BaseController
             list($valid, ) = $this->taskValidator->validateProjectModification($values);
 
             if ($valid) {
+                if (! $this->projectPermissionModel->isUserAllowed($values['project_id'], $this->userSession->getId())) {
+                    throw new AccessForbiddenException();
+                }
+
                 $task_id = $this->taskProjectDuplicationModel->duplicateToProject(
-                    $task['id'], $values['project_id'], $values['swimlane_id'],
-                    $values['column_id'], $values['category_id'], $values['owner_id']
+                    $task['id'],
+                    $values['project_id'],
+                    $values['swimlane_id'],
+                    $values['column_id'],
+                    $values['category_id'],
+                    $values['owner_id']
                 );
 
                 if ($task_id > 0) {