diff options
| author | Malf Furious <m@lfurio.us> | 2018-09-20 23:21:49 -0400 |
|---|---|---|
| committer | Malf Furious <m@lfurio.us> | 2018-09-20 23:21:49 -0400 |
| commit | 52ae87e3fe90a0231e874cb498797e2ef2295518 (patch) | |
| tree | 18162c6ca87e5bfee9aab0649c7962862cc04f03 /app | |
| parent | b9bdf474f838d1435dc0cba1f6ffa9e1e26520b6 (diff) | |
| download | scrott-52ae87e3fe90a0231e874cb498797e2ef2295518.tar.gz scrott-52ae87e3fe90a0231e874cb498797e2ef2295518.zip | |
index: Enforce access permission when viewing object by URL
The controller now (again) prevents browsing to objects the user is not
allowed to access.
Diffstat (limited to 'app')
| -rw-r--r-- | app/index.php | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/app/index.php b/app/index.php index 182ab1b..a40f8c1 100644 --- a/app/index.php +++ b/app/index.php @@ -74,6 +74,14 @@ function main(array $argv) : void /* view object */ if (table::isGUID($argv[0])) { + /* check permissions */ + if (!$user->canAccess(new obj($argv[0]))) + { + /* TODO - use notice modal instead of an exception */ + throw new Exception("You do not have access permission for the requested object"); + } + + /* setup page */ switch (obj::typeOf($argv[0])) { case "pad": |