Controller auth / CSRF fixes

1 files changed, 4 insertions, 0 deletions

diff --git a/modules/organize/controllers/organize.php b/modules/organize/controllers/organize.php
index 259c94e7..08c80de3 100644
--- a/modules/organize/controllers/organize.php
+++ b/modules/organize/controllers/organize.php
@@ -45,9 +45,13 @@ class Organize_Controller extends Controller {
     access::verify_csrf();
 
     $target_album = ORM::factory("item", $target_album_id);
+    access::required("view", $target_album);
+    access::required("add", $target_album);
+
     foreach ($this->input->post("source_ids") as $source_id) {
       $source = ORM::factory("item", $source_id);
       if (!$source->contains($target_album)) {
+        access::required("edit", $source);
         item::move($source, $target_album);
       }
     }