Add missing permission checks.

Make the tag relationship an associative array.

2 files changed, 9 insertions, 5 deletions

diff --git a/modules/tag/helpers/tag_item_rest.php b/modules/tag/helpers/tag_item_rest.php
index 60d37437..672cec53 100644
--- a/modules/tag/helpers/tag_item_rest.php
+++ b/modules/tag/helpers/tag_item_rest.php
@@ -23,8 +23,8 @@ class tag_item_rest_Core {
     return array(
       "url" => $request->url,
       "members" => array(
-        rest::url("tag", $tag),
-        rest::url("item", $item)));
+        "tag" => rest::url("tag", $tag),
+        "item" => rest::url("item", $item)));
   }
 
   static function delete($request) {
@@ -37,7 +37,7 @@ class tag_item_rest_Core {
     list ($tag_id, $item_id) = split(",", $tuple);
     $tag = ORM::factory("tag", $tag_id);
     $item = ORM::factory("item", $item_id);
-    if (!$tag->loaded() || !$item->loaded() || !$tag->has($item)) {
+    if (!$tag->loaded() || !$item->loaded() || !$tag->has($item) || !access::can("view", $item)) {
       throw new Kohana_404_Exception();
     }
 
diff --git a/modules/tag/helpers/tag_items_rest.php b/modules/tag/helpers/tag_items_rest.php
index ef563ac6..18973ebb 100644
--- a/modules/tag/helpers/tag_items_rest.php
+++ b/modules/tag/helpers/tag_items_rest.php
@@ -37,12 +37,16 @@ class tag_items_rest_Core {
     $item = rest::resolve($request->params->item);
     access::required("view", $item);
 
+    if (!$tag->loaded()) {
+      throw new Kohana_404_Exception();
+    }
+
     tag::add($item, $tag->name);
     return array(
       "url" => rest::url("tag_item", $tag, $item),
       "members" => array(
-        rest::url("tag", $tag),
-        rest::url("item", $item)));
+        "tag" => rest::url("tag", $tag),
+        "item" => rest::url("item", $item)));
   }
 
   static function delete($request) {