diff options
| author | Malf Furious <m@lfurio.us> | 2016-06-10 01:12:45 -0400 |
|---|---|---|
| committer | Malf Furious <m@lfurio.us> | 2016-06-10 01:12:45 -0400 |
| commit | f7848f8b7b471766d674c8bf8e9a75099a9ffda5 (patch) | |
| tree | e5ce2792c350d26687b1fd0117da205b82657bdf /app | |
| parent | 3e05bd0357d1cecc89c865a8b339b114b5b91f67 (diff) | |
| download | scrott-f7848f8b7b471766d674c8bf8e9a75099a9ffda5.tar.gz scrott-f7848f8b7b471766d674c8bf8e9a75099a9ffda5.zip | |
Assert access control before rendering an object view
If the current user does not have access permission to the requested
object, throw an exception and do not proceed.
Diffstat (limited to '')
| -rw-r--r-- | app/controller/obj.control.php | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/app/controller/obj.control.php b/app/controller/obj.control.php index 08172b5..74288ee 100644 --- a/app/controller/obj.control.php +++ b/app/controller/obj.control.php @@ -31,6 +31,9 @@ class Obj extends Controller $mod = new ObjModel(); $obj = new DBObject($argv[0]); + if (!$obj->canAccess($this->getCurrentUser())) + throw new Exception("You do not have permission to access this object"); + switch ($obj->type) { case "group": |