Skip to content

Commit

Permalink
Added access check for 'update' and 'delete' actions for calendar.
Browse files Browse the repository at this point in the history
  • Loading branch information
dvaganov committed Jun 9, 2016
1 parent 4ea512c commit 806a54d
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 1 deletion.
13 changes: 12 additions & 1 deletion controllers/CalendarController.php
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,11 @@ public function actionUpdate($id)
{
$model = $this->findModel($id);

if (!Access::isCreator($model)) {
throw new \yii\web\ForbiddenHttpException("Not allowed!");
return;
}

if ($model->load(Yii::$app->request->post()) && $model->save()) {
return $this->redirect(['view', 'id' => $model->id]);
} else {
Expand All @@ -154,7 +159,13 @@ public function actionUpdate($id)
*/
public function actionDelete($id)
{
$this->findModel($id)->delete();
$this->findModel($id);

if (Access::isCreator($model)) {
$model->delete();
} else {
throw new \yii\web\ForbiddenHttpException("Not allowed!");
}

return $this->redirect(['index']);
}
Expand Down
11 changes: 11 additions & 0 deletions models/Access.php
Original file line number Diff line number Diff line change
Expand Up @@ -108,4 +108,15 @@ public static function check($model)

return $result;
}

/**
* Check if user is creator the model.
* @param \app\models\Calendar $model
* @return bool
*/
public static function isCreator($model)
{
$currentUserID = \Yii::$app->user->id;
return $currentUserID === $model->creatorID;
}
}

0 comments on commit 806a54d

Please sign in to comment.