From 428fb1837f22081a00f9ab7e9e3f22ef2ecf8ae9 Mon Sep 17 00:00:00 2001
From: Richard Mansfield <richard.mansfield@catalyst.net.nz>
Date: Wed, 27 Apr 2011 17:18:41 +1200
Subject: [PATCH] Check edit permissions in tasks.json.php (bug #771623)

Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>
---
 htdocs/artefact/plans/tasks.json.php |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/htdocs/artefact/plans/tasks.json.php b/htdocs/artefact/plans/tasks.json.php
index a87927c..4839cb1 100644
--- a/htdocs/artefact/plans/tasks.json.php
+++ b/htdocs/artefact/plans/tasks.json.php
@@ -35,6 +35,10 @@ $plan = param_integer('id');
 $limit = param_integer('limit', 10);
 $offset = param_integer('offset', 0);
 
+if (!$USER->can_edit_artefact(new ArtefactTypePlan($plan))) {
+    json_reply(true, get_string('accessdenied', 'error'));
+}
+
 $tasks = ArtefactTypeTask::get_tasks($plan, $offset, $limit);
 ArtefactTypeTask::build_tasks_list_html($tasks);
 
-- 
1.7.1