Commit f238e5b448d70700b276c471e45413a341465c2e
1 parent
4672f890
KTS-250: restrict mass delete to write permission.
git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@4713 c91229c3-7414-0410-bfa2-8a42b809f60b
Showing
1 changed file
with
5 additions
and
0 deletions
browse.php
| ... | ... | @@ -498,6 +498,8 @@ class BrowseDispatcher extends KTStandardDispatcher { |
| 498 | 498 | $res = KTUtil::arrayGet($_REQUEST,'sReason'); |
| 499 | 499 | $sReason = $this->oValidator->notEmpty($res, $aErrorOptions); |
| 500 | 500 | |
| 501 | + | |
| 502 | + | |
| 501 | 503 | // FIXME we need to sort out the (inconsistent) use of transactions here. |
| 502 | 504 | $aFolders = array(); |
| 503 | 505 | $aDocuments = array(); |
| ... | ... | @@ -511,6 +513,9 @@ class BrowseDispatcher extends KTStandardDispatcher { |
| 511 | 513 | } |
| 512 | 514 | foreach ($aDocumentSelection as $id) { |
| 513 | 515 | $oD = Document::get($id); |
| 516 | + if (!Permission::userHasDocumentWritePermission($oD)) { | |
| 517 | + return $this->errorRedirectToMain(sprintf(_('You do not have permissions to delete the documen: %s'), $oD->getName())); | |
| 518 | + } | |
| 514 | 519 | if (PEAR::isError($oD) || ($oD == false)) { |
| 515 | 520 | return $this->errorRedirectToMain(_('Invalid Document selected.')); |
| 516 | 521 | } else { | ... | ... |