Commit a0e7e16f authored by Ruslan Kabalin's avatar Ruslan Kabalin
Browse files

Fixed artefact access permissions check.



Absolutely any institution admin was granted editing permisions to artefacts
that use 'can_edit_artefact' method to check editing permision ("Comments" in
particular).
Signed-off-by: default avatarRuslan Kabalin <ruslan.kabalin@luns.net.uk>
parent f9ebcaba
......@@ -772,7 +772,7 @@ class User {
public function can_view_artefact($a) {
if ($this->get('admin')
|| ($this->get('id') and $this->get('id') == $a->get('owner'))
|| $this->is_institutional_admin($a->get('institution'))) {
|| ($a->get('institution') and $this->is_institutional_admin($a->get('institution')))) {
return true;
}
if ($a->get('group')) {
......@@ -788,7 +788,7 @@ class User {
public function can_edit_artefact($a) {
if ($this->get('admin')
|| ($this->get('id') and $this->get('id') == $a->get('owner'))
|| $this->is_institutional_admin($a->get('institution'))) {
|| ($a->get('institution') and $this->is_institutional_admin($a->get('institution')))) {
return true;
}
$group = $a->get('group');
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment