From 7608870537503ec571f45a175c8486d7945e7c63 Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Tue, 15 Sep 2009 22:51:49 -0700
Subject: Controller auth / CSRF fixes

---
 modules/organize/controllers/organize.php | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'modules/organize/controllers')

diff --git a/modules/organize/controllers/organize.php b/modules/organize/controllers/organize.php
index 259c94e7..08c80de3 100644
--- a/modules/organize/controllers/organize.php
+++ b/modules/organize/controllers/organize.php
@@ -45,9 +45,13 @@ class Organize_Controller extends Controller {
     access::verify_csrf();
 
     $target_album = ORM::factory("item", $target_album_id);
+    access::required("view", $target_album);
+    access::required("add", $target_album);
+
     foreach ($this->input->post("source_ids") as $source_id) {
       $source = ORM::factory("item", $source_id);
       if (!$source->contains($target_album)) {
+        access::required("edit", $source);
         item::move($source, $target_album);
       }
     }
-- 
cgit v1.2.3