Commit 69301aa0 authored by Richard Mansfield's avatar Richard Mansfield
Browse files

Check view permission in viewtasks.json.php (bug #771637)



Change-Id: If3f9c5cf3413c1d14bd88d810f8d6d69a5b7e00a
Signed-off-by: default avatarRichard Mansfield <richard.mansfield@catalyst.net.nz>
parent d5a2788a
...@@ -38,6 +38,9 @@ $limit = param_integer('limit', 10); ...@@ -38,6 +38,9 @@ $limit = param_integer('limit', 10);
if ($blockid = param_integer('block', null)) { if ($blockid = param_integer('block', null)) {
$bi = new BlockInstance($blockid); $bi = new BlockInstance($blockid);
if (!can_view_view($bi->get('view'))) {
json_reply(true, get_string('accessdenied', 'error'));
}
$options = $configdata = $bi->get('configdata'); $options = $configdata = $bi->get('configdata');
$tasks = ArtefactTypeTask::get_tasks($configdata['artefactid'], $offset, $limit); $tasks = ArtefactTypeTask::get_tasks($configdata['artefactid'], $offset, $limit);
...@@ -53,6 +56,9 @@ if ($blockid = param_integer('block', null)) { ...@@ -53,6 +56,9 @@ if ($blockid = param_integer('block', null)) {
else { else {
$planid = param_integer('artefact'); $planid = param_integer('artefact');
$viewid = param_integer('view'); $viewid = param_integer('view');
if (!can_view_view($viewid)) {
json_reply(true, get_string('accessdenied', 'error'));
}
$options = array('viewid' => $viewid); $options = array('viewid' => $viewid);
$tasks = ArtefactTypeTask::get_tasks($planid, $offset, $limit); $tasks = ArtefactTypeTask::get_tasks($planid, $offset, $limit);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment