From 222483212c6de8dcea6aa28ebe30b7ad61460eb9 Mon Sep 17 00:00:00 2001
From: Richard Mansfield <richard.mansfield@catalyst.net.nz>
Date: Wed, 27 Apr 2011 17:49:16 +1200
Subject: [PATCH] Check view permission in viewtasks.json.php (bug #771637)

Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>
---
 htdocs/artefact/plans/viewtasks.json.php |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/htdocs/artefact/plans/viewtasks.json.php b/htdocs/artefact/plans/viewtasks.json.php
index 093e558..41c04ff 100644
--- a/htdocs/artefact/plans/viewtasks.json.php
+++ b/htdocs/artefact/plans/viewtasks.json.php
@@ -38,6 +38,9 @@ $limit = param_integer('limit', 10);
 
 if ($blockid = param_integer('block', null)) {
     $bi = new BlockInstance($blockid);
+    if (!can_view_view($bi->get('view'))) {
+        json_reply(true, get_string('accessdenied', 'error'));
+    }
     $options = $configdata = $bi->get('configdata');
 
     $tasks = ArtefactTypeTask::get_tasks($configdata['artefactid'], $offset, $limit);
@@ -53,6 +56,9 @@ if ($blockid = param_integer('block', null)) {
 else {
     $planid = param_integer('artefact');
     $viewid = param_integer('view');
+    if (!can_view_view($viewid)) {
+        json_reply(true, get_string('accessdenied', 'error'));
+    }
     $options = array('viewid' => $viewid);
     $tasks = ArtefactTypeTask::get_tasks($planid, $offset, $limit);
 
-- 
1.7.1