From a04d0d278964c93b4829ec2e77f5f315abcba392 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Fri, 29 Jan 2010 19:42:38 -0800
Subject: [PATCH] Add missing permission checks. Make the tag relationship an
 associative array.

---
 modules/tag/helpers/tag_item_rest.php           | 6 +++---
 modules/tag/helpers/tag_items_rest.php          | 8 ++++++--
 modules/tag/tests/Tag_Item_Rest_Helper_Test.php | 4 ++--
 3 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/modules/tag/helpers/tag_item_rest.php b/modules/tag/helpers/tag_item_rest.php
index 60d3743712..672cec53c5 100644
--- a/modules/tag/helpers/tag_item_rest.php
+++ b/modules/tag/helpers/tag_item_rest.php
@@ -23,8 +23,8 @@ static function get($request) {
     return array(
       "url" => $request->url,
       "members" => array(
-        rest::url("tag", $tag),
-        rest::url("item", $item)));
+        "tag" => rest::url("tag", $tag),
+        "item" => rest::url("item", $item)));
   }
 
   static function delete($request) {
@@ -37,7 +37,7 @@ static function resolve($tuple) {
     list ($tag_id, $item_id) = split(",", $tuple);
     $tag = ORM::factory("tag", $tag_id);
     $item = ORM::factory("item", $item_id);
-    if (!$tag->loaded() || !$item->loaded() || !$tag->has($item)) {
+    if (!$tag->loaded() || !$item->loaded() || !$tag->has($item) || !access::can("view", $item)) {
       throw new Kohana_404_Exception();
     }
 
diff --git a/modules/tag/helpers/tag_items_rest.php b/modules/tag/helpers/tag_items_rest.php
index ef563ac640..18973ebb3b 100644
--- a/modules/tag/helpers/tag_items_rest.php
+++ b/modules/tag/helpers/tag_items_rest.php
@@ -37,12 +37,16 @@ static function post($request) {
     $item = rest::resolve($request->params->item);
     access::required("view", $item);
 
+    if (!$tag->loaded()) {
+      throw new Kohana_404_Exception();
+    }
+
     tag::add($item, $tag->name);
     return array(
       "url" => rest::url("tag_item", $tag, $item),
       "members" => array(
-        rest::url("tag", $tag),
-        rest::url("item", $item)));
+        "tag" => rest::url("tag", $tag),
+        "item" => rest::url("item", $item)));
   }
 
   static function delete($request) {
diff --git a/modules/tag/tests/Tag_Item_Rest_Helper_Test.php b/modules/tag/tests/Tag_Item_Rest_Helper_Test.php
index 6c49ad6757..69c580f129 100644
--- a/modules/tag/tests/Tag_Item_Rest_Helper_Test.php
+++ b/modules/tag/tests/Tag_Item_Rest_Helper_Test.php
@@ -32,8 +32,8 @@ public function get_test() {
     $this->assert_equal_array(
       array("url" => rest::url("tag_item", $tag, item::root()),
             "members" => array(
-              rest::url("tag", $tag),
-              rest::url("item", item::root()))),
+              "tag" => rest::url("tag", $tag),
+              "item" => rest::url("item", item::root()))),
       tag_item_rest::get($request));
   }