Add missing permission checks.

Make the tag relationship an associative array.
gallery · Jan 30, 2010 · a04d0d2 · a04d0d2
1 parent a956098
commit a04d0d2
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 7 deletions.
diff --git a/modules/tag/helpers/tag_item_rest.php b/modules/tag/helpers/tag_item_rest.php
@@ -23,8 +23,8 @@ static function get($request) {
     return array(
       "url" => $request->url,
       "members" => array(
-        rest::url("tag", $tag),
-        rest::url("item", $item)));
+        "tag" => rest::url("tag", $tag),
+        "item" => rest::url("item", $item)));
   }
 
   static function delete($request) {
@@ -37,7 +37,7 @@ static function resolve($tuple) {
     list ($tag_id, $item_id) = split(",", $tuple);
     $tag = ORM::factory("tag", $tag_id);
     $item = ORM::factory("item", $item_id);
-    if (!$tag->loaded() || !$item->loaded() || !$tag->has($item)) {
+    if (!$tag->loaded() || !$item->loaded() || !$tag->has($item) || !access::can("view", $item)) {
       throw new Kohana_404_Exception();
     }
 

diff --git a/modules/tag/helpers/tag_items_rest.php b/modules/tag/helpers/tag_items_rest.php
@@ -37,12 +37,16 @@ static function post($request) {
     $item = rest::resolve($request->params->item);
     access::required("view", $item);
 
+    if (!$tag->loaded()) {
+      throw new Kohana_404_Exception();
+    }
+
     tag::add($item, $tag->name);
     return array(
       "url" => rest::url("tag_item", $tag, $item),
       "members" => array(
-        rest::url("tag", $tag),
-        rest::url("item", $item)));
+        "tag" => rest::url("tag", $tag),
+        "item" => rest::url("item", $item)));
   }
 
   static function delete($request) {

diff --git a/modules/tag/tests/Tag_Item_Rest_Helper_Test.php b/modules/tag/tests/Tag_Item_Rest_Helper_Test.php
@@ -32,8 +32,8 @@ public function get_test() {
     $this->assert_equal_array(
       array("url" => rest::url("tag_item", $tag, item::root()),
             "members" => array(
-              rest::url("tag", $tag),
-              rest::url("item", item::root()))),
+              "tag" => rest::url("tag", $tag),
+              "item" => rest::url("item", item::root()))),
       tag_item_rest::get($request));
   }