issue: Add permission check

yona-projects · Mar 13, 2017 · 89a6c62 · 89a6c62
1 parent f1aecf9
commit 89a6c62
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/app/controllers/IssueApp.java b/app/controllers/IssueApp.java
@@ -413,6 +413,10 @@ public static Result newIssue(String ownerName, String projectName) {
                 flash(Constants.WARNING, Messages.get("error.notfound.project"));
                 return badRequest(create.render("title.newIssue", new Form<>(Issue.class), project, null));
             } else {
+                if (!AccessControl.isProjectResourceCreatable(
+                        UserApp.currentUser(), toAnotherProject, ResourceType.ISSUE_POST)) {
+                    return forbidden(ErrorViews.Forbidden.render("error.forbidden", toAnotherProject));
+                }
                 project = toAnotherProject;
             }
         }
@@ -551,6 +555,10 @@ public static Result editIssue(String ownerName, String projectName, Long number
                 flash(Constants.WARNING, Messages.get("error.notfound.project"));
                 return badRequest(edit.render("error.validation", issueForm, Issue.findByNumber(project, number), project));
             } else if (isRequestedToOtherProject(project, toOtherProject)) {
+                if (!AccessControl.isProjectResourceCreatable(
+                        UserApp.currentUser(), toOtherProject, ResourceType.ISSUE_POST)) {
+                    return forbidden(ErrorViews.Forbidden.render("error.forbidden", toOtherProject));
+                }
                 moveIssueToOtherProject(originalIssue, toOtherProject);
             }
         }