diff options
| -rw-r--r-- | modules/tag/controllers/tags.php | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/modules/tag/controllers/tags.php b/modules/tag/controllers/tags.php index 7b16f751..aba8ce32 100644 --- a/modules/tag/controllers/tags.php +++ b/modules/tag/controllers/tags.php @@ -54,12 +54,16 @@ class Tags_Controller extends REST_Controller { $form = tag::get_add_form($this->input->post('item_id')); if ($form->validate()) { $item = ORM::factory("item", $this->input->post("item_id")); - if ($item->loaded) { - tag::add($item, $this->input->post("tag_name")); - } + if (access::can("edit", $item)) { + if ($item->loaded) { + tag::add($item, $this->input->post("tag_name")); + } - rest::http_status(rest::CREATED); - rest::http_location(url::site("tags/{$tag->id}")); + rest::http_status(rest::CREATED); + rest::http_location(url::site("tags/{$tag->id}")); + } else { + $form->inputs["add_tag"]->inputs["tag_name"]->add_error("permission denied", 1); + } } print $form; |