Fix permission check before "Assign to me"

Users who should not be able to change assignee cannot "assign to me" Fixes #4121
2019-01-10 01:17:03 -02:00 · 2019-01-10 01:17:03 -02:00 · f79a2ee5e7
parent 0deaeb58e6
commit f79a2ee5e7
2 changed files with 5 additions and 1 deletions
--- a/app/Controller/TaskModificationController.php
+++ b/app/Controller/TaskModificationController.php
@ -22,6 +22,10 @@ class TaskModificationController extends BaseController
        if (! $this->helper->projectRole->canUpdateTask($task)) {
            throw new AccessForbiddenException(t('You are not allowed to update tasks assigned to someone else.'));
        }
+        
+        if (! $this->helper->projectRole->canChangeAssignee($task)) {
+            throw new AccessForbiddenException(t('You are not allowed to change the assignee.'));
+        }

        $this->taskModificationModel->update($values);
        $this->redirectAfterQuickAction($task);
--- a/app/Template/task/dropdown.php
+++ b/app/Template/task/dropdown.php
@ -2,7 +2,7 @@
    <a href="#" class="dropdown-menu dropdown-menu-link-icon"><strong>#<?= $task['id'] ?> <i class="fa fa-caret-down"></i></strong></a>
    <ul>
        <?php if ($this->projectRole->canUpdateTask($task)): ?>
-            <?php if (array_key_exists('owner_id', $task) && $task['owner_id'] != $this->user->getId()): ?>
+            <?php if ($this->projectRole->canChangeAssignee($task) && array_key_exists('owner_id', $task) && $task['owner_id'] != $this->user->getId()): ?>
            <li>
                <?= $this->url->icon('hand-o-right', t('Assign to me'), 'TaskModificationController', 'assignToMe', ['task_id' => $task['id'], 'project_id' => $task['project_id'], 'redirect' => isset($redirect) ? $redirect : '']) ?>
            </li>