diff options
| author | Malf Furious <m@lfurio.us> | 2016-06-10 01:12:45 -0400 |
|---|---|---|
| committer | Malf Furious <m@lfurio.us> | 2016-06-10 01:12:45 -0400 |
| commit | f7848f8b7b471766d674c8bf8e9a75099a9ffda5 (patch) | |
| tree | e5ce2792c350d26687b1fd0117da205b82657bdf | |
| parent | 3e05bd0357d1cecc89c865a8b339b114b5b91f67 (diff) | |
| download | scrott-f7848f8b7b471766d674c8bf8e9a75099a9ffda5.tar.gz scrott-f7848f8b7b471766d674c8bf8e9a75099a9ffda5.zip | |
Assert access control before rendering an object view
If the current user does not have access permission to the requested
object, throw an exception and do not proceed.
| -rw-r--r-- | app/controller/obj.control.php | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/app/controller/obj.control.php b/app/controller/obj.control.php index 08172b5..74288ee 100644 --- a/app/controller/obj.control.php +++ b/app/controller/obj.control.php @@ -31,6 +31,9 @@ class Obj extends Controller $mod = new ObjModel(); $obj = new DBObject($argv[0]); + if (!$obj->canAccess($this->getCurrentUser())) + throw new Exception("You do not have permission to access this object"); + switch ($obj->type) { case "group": |