diff options
| author | Tim Almdal <tnalmdal@shaw.ca> | 2008-12-13 08:27:14 +0000 |
|---|---|---|
| committer | Tim Almdal <tnalmdal@shaw.ca> | 2008-12-13 08:27:14 +0000 |
| commit | e7a763a8c2f49821a1c0de7ce5f9217f200e08d8 (patch) | |
| tree | f450238241ffebdb6063a84940b73348ba020f4f | |
| parent | fc3fd3321df5e116975bc6c447768f7d8180b87e (diff) | |
Add permission check on the tag add controller, in case some bypasses the view and tries to access the controller directly.
| -rw-r--r-- | modules/tag/controllers/tags.php | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/modules/tag/controllers/tags.php b/modules/tag/controllers/tags.php index 7b16f751..aba8ce32 100644 --- a/modules/tag/controllers/tags.php +++ b/modules/tag/controllers/tags.php @@ -54,12 +54,16 @@ class Tags_Controller extends REST_Controller { $form = tag::get_add_form($this->input->post('item_id')); if ($form->validate()) { $item = ORM::factory("item", $this->input->post("item_id")); - if ($item->loaded) { - tag::add($item, $this->input->post("tag_name")); - } + if (access::can("edit", $item)) { + if ($item->loaded) { + tag::add($item, $this->input->post("tag_name")); + } - rest::http_status(rest::CREATED); - rest::http_location(url::site("tags/{$tag->id}")); + rest::http_status(rest::CREATED); + rest::http_location(url::site("tags/{$tag->id}")); + } else { + $form->inputs["add_tag"]->inputs["tag_name"]->add_error("permission denied", 1); + } } print $form; |