diff options
| author | Bharat Mediratta <bharat@menalto.com> | 2008-12-13 09:53:36 +0000 |
|---|---|---|
| committer | Bharat Mediratta <bharat@menalto.com> | 2008-12-13 09:53:36 +0000 |
| commit | 65e237a59a99d7c5e8c32cdc7c730414f6dea30f (patch) | |
| tree | c8102906fb2a3a4a2dc1baf10e94d19b32a9716f | |
| parent | ee688d1f37ec424d6761bff7008021b6a122c76f (diff) | |
Fix security pattern. We can't successfully call access::can unless the item is loaded.
| -rw-r--r-- | modules/tag/controllers/tags.php | 7 |
1 files changed, 2 insertions, 5 deletions
diff --git a/modules/tag/controllers/tags.php b/modules/tag/controllers/tags.php index aba8ce32..625f1ac6 100644 --- a/modules/tag/controllers/tags.php +++ b/modules/tag/controllers/tags.php @@ -54,11 +54,8 @@ class Tags_Controller extends REST_Controller { $form = tag::get_add_form($this->input->post('item_id')); if ($form->validate()) { $item = ORM::factory("item", $this->input->post("item_id")); - if (access::can("edit", $item)) { - if ($item->loaded) { - tag::add($item, $this->input->post("tag_name")); - } - + if ($item->loaded && access::can("edit", $item)) { + tag::add($item, $this->input->post("tag_name")); rest::http_status(rest::CREATED); rest::http_location(url::site("tags/{$tag->id}")); } else { |