From d8e6fc09df73e4165fa5503b713f8958e1599175 Mon Sep 17 00:00:00 2001 From: Malf Furious Date: Thu, 1 Nov 2018 04:35:26 -0400 Subject: Fix 'closeIssue' form submission I was failing to assert user has modify permissions for the issue. Signed-off-by: Malf Furious --- app/model/issue.php | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'app') diff --git a/app/model/issue.php b/app/model/issue.php index 0954ad9..403e82e 100644 --- a/app/model/issue.php +++ b/app/model/issue.php @@ -52,6 +52,12 @@ if (isAction("iss-mesg-add")) if (isset(input()['closeIssue'])) { + if (!$user->canModify($issue)) + { + logError(ERROR, "You do not have permission to close this issue"); + return; + } + $issue->close($user); logError(NOTICE, "Issue #" . $issue->numb . " closed"); $log = mesg::initNewLog("% closed issue", $user, $issue); -- cgit v1.2.3