From 5b927a7083c8886a42519f9199666431bac0b650 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Mon, 4 Apr 2011 17:45:09 -0700
Subject: Guard against registered users removing tags from items they don't
 own.  Fixes #1671.

---
 modules/tag/helpers/tag_item_rest.php  | 1 +
 modules/tag/helpers/tag_items_rest.php | 1 +
 2 files changed, 2 insertions(+)

(limited to 'modules/tag/helpers')

diff --git a/modules/tag/helpers/tag_item_rest.php b/modules/tag/helpers/tag_item_rest.php
index a8d3d0bc..be1fa653 100644
--- a/modules/tag/helpers/tag_item_rest.php
+++ b/modules/tag/helpers/tag_item_rest.php
@@ -29,6 +29,7 @@ class tag_item_rest_Core {
 
   static function delete($request) {
     list ($tag, $item) = rest::resolve($request->url);
+    access::required("edit", $item);
     $tag->remove($item);
     $tag->save();
   }
diff --git a/modules/tag/helpers/tag_items_rest.php b/modules/tag/helpers/tag_items_rest.php
index 535ab513..8ed07276 100644
--- a/modules/tag/helpers/tag_items_rest.php
+++ b/modules/tag/helpers/tag_items_rest.php
@@ -51,6 +51,7 @@ class tag_items_rest_Core {
 
   static function delete($request) {
     list ($tag, $item) = rest::resolve($request->url);
+    access::required("edit", $item);
     $tag->remove($item);
     $tag->save();
   }
-- 
cgit v1.2.3