From 52ae87e3fe90a0231e874cb498797e2ef2295518 Mon Sep 17 00:00:00 2001
From: Malf Furious <m@lfurio.us>
Date: Thu, 20 Sep 2018 23:21:49 -0400
Subject: index:  Enforce access permission when viewing object by URL

The controller now (again) prevents browsing to objects the user is not
allowed to access.
---
 app/index.php | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'app/index.php')

diff --git a/app/index.php b/app/index.php
index 182ab1b..a40f8c1 100644
--- a/app/index.php
+++ b/app/index.php
@@ -74,6 +74,14 @@ function main(array $argv) : void
                 /* view object */
                 if (table::isGUID($argv[0]))
                 {
+                    /* check permissions */
+                    if (!$user->canAccess(new obj($argv[0])))
+                    {
+                        /* TODO - use notice modal instead of an exception */
+                        throw new Exception("You do not have access permission for the requested object");
+                    }
+
+                    /* setup page */
                     switch (obj::typeOf($argv[0]))
                     {
                         case "pad":
-- 
cgit v1.2.3