From e7a763a8c2f49821a1c0de7ce5f9217f200e08d8 Mon Sep 17 00:00:00 2001
From: Tim Almdal <tnalmdal@shaw.ca>
Date: Sat, 13 Dec 2008 08:27:14 +0000
Subject: Add permission check on the tag add controller, in case some bypasses
 the view and tries to access the controller directly.

---
 modules/tag/controllers/tags.php | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

(limited to 'modules/tag/controllers')

diff --git a/modules/tag/controllers/tags.php b/modules/tag/controllers/tags.php
index 7b16f751..aba8ce32 100644
--- a/modules/tag/controllers/tags.php
+++ b/modules/tag/controllers/tags.php
@@ -54,12 +54,16 @@ class Tags_Controller extends REST_Controller {
     $form = tag::get_add_form($this->input->post('item_id'));
     if ($form->validate()) {
       $item = ORM::factory("item", $this->input->post("item_id"));
-      if ($item->loaded) {
-        tag::add($item, $this->input->post("tag_name"));
-      }
+      if (access::can("edit", $item)) {
+        if ($item->loaded) {
+          tag::add($item, $this->input->post("tag_name"));
+        }
 
-      rest::http_status(rest::CREATED);
-      rest::http_location(url::site("tags/{$tag->id}"));
+        rest::http_status(rest::CREATED);
+        rest::http_location(url::site("tags/{$tag->id}"));
+      } else {
+        $form->inputs["add_tag"]->inputs["tag_name"]->add_error("permission denied", 1);
+      }
     }
 
     print $form;
-- 
cgit v1.2.3