From f7848f8b7b471766d674c8bf8e9a75099a9ffda5 Mon Sep 17 00:00:00 2001
From: Malf Furious <m@lfurio.us>
Date: Fri, 10 Jun 2016 01:12:45 -0400
Subject: Assert access control before rendering an object view

If the current user does not have access permission to the requested
object, throw an exception and do not proceed.
---
 app/controller/obj.control.php | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'app')

diff --git a/app/controller/obj.control.php b/app/controller/obj.control.php
index 08172b5..74288ee 100644
--- a/app/controller/obj.control.php
+++ b/app/controller/obj.control.php
@@ -31,6 +31,9 @@ class Obj extends Controller
         $mod = new ObjModel();
         $obj = new DBObject($argv[0]);
 
+        if (!$obj->canAccess($this->getCurrentUser()))
+            throw new Exception("You do not have permission to access this object");
+
         switch ($obj->type)
         {
             case "group":
-- 
cgit v1.2.3