2 files changed, 35 insertions, 2 deletions

diff --git a/modules/organize/helpers/organize.php b/modules/organize/helpers/organize.php
index 3a207c95..9bf4e986 100644
--- a/modules/organize/helpers/organize.php
+++ b/modules/organize/helpers/organize.php
@@ -66,6 +66,14 @@ class organize_Core {
     $tagPane->hidden("item")->value(implode("|", $itemids));
     $item_count = count($itemids);
     $ids = implode(", ", $itemids);
+
+    // Lame stopgap security check.  This code is going to get rewritten anyway.
+    foreach ($itemids as $id) {
+      $item = ORM::factory("item", $id);
+      access::required("view", $item);
+      access::required("edit", $item);
+    }
+
     $tags = Database::instance()->query(
       "SELECT t.name, COUNT(it.item_id) as count
          FROM {items_tags} it, {tags} t
diff --git a/modules/organize/helpers/organize_task.php b/modules/organize/helpers/organize_task.php
index 0f0e4792..dc474818 100644
--- a/modules/organize/helpers/organize_task.php
+++ b/modules/organize/helpers/organize_task.php
@@ -38,30 +38,55 @@ class organize_task_Core {
         switch ($taskType) {
         case "move":
           $source = ORM::factory("item", $id);
+          access::required("view", $source);
+          access::required("view", $target);
+          access::required("edit", $source);
+          access::required("edit", $target);
+
           item::move($source, $target);
           break;
+
         case "rearrange":
+          $item = ORM::factory("item", $id);
+          access::required("view", $item);
+          access::required("edit", $item);
+
           Database::instance()
             ->query("Update {items} set weight = {$context["position"]} where id=$id;");
           break;
+
         case "rotateCcw":
         case "rotateCw":
           $item = ORM::factory("item", $id);
+          access::required("view", $item);
+          access::required("edit", $item);
+
           if ($item->is_photo()) {
             $context["post_process"]["reload"][] =
               self::_do_rotation($item, $taskType == "rotateCcw" ? -90 : 90);
           }
           break;
+
         case "albumCover":
-          item::make_album_cover(ORM::factory("item", $id));
+          $item = ORM::factory("item", $id);
+          access::required("view", $item);
+          access::required("view", $item->parent());
+          access::required("edit", $item->parent());
+
+          item::make_album_cover($item);
           break;
+
         case "delete":
           $item = ORM::factory("item", $id);
+          access::required("view", $item);
+          access::required("edit", $item);
+
           $item->delete();
           $context["post_process"]["remove"][] = array("id" => $id);
           break;
+
         default:
-          throw new Exception("Task '$taskType' is not implmented");
+          throw new Exception("Task '$taskType' is not implemented");
         }
       }
       $context["position"] += $stop;