From 2cf3262256fe181bb74f2f41cc776a2fb6228d24 Mon Sep 17 00:00:00 2001 From: Patrick Seeger Date: Wed, 15 May 2013 10:41:50 +0200 Subject: =?UTF-8?q?L=C3=B6schen=20zugriffsbeschr=C3=A4nkt?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- protected/controllers/MyAngebotController.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/protected/controllers/MyAngebotController.php b/protected/controllers/MyAngebotController.php index d0adfd2..cbd74ad 100644 --- a/protected/controllers/MyAngebotController.php +++ b/protected/controllers/MyAngebotController.php @@ -87,8 +87,12 @@ class MyAngebotController extends Controller if(Yii::app()->request->isPostRequest) { // we only allow deletion via POST request - $this->loadModel($id)->delete(); - + $model = $this->loadModel($id); + if ($model->verein_id != Yii::app()->user->vereinId) { + throw new CHttpException(401,'Illegal Access! Delete your own data!'); + } else { + $model->delete(); + } // if AJAX request (triggered by deletion via admin grid view), we should not redirect the browser if(!isset($_GET['ajax'])) $this->redirect(isset($_POST['returnUrl']) ? $_POST['returnUrl'] : array('admin')); -- cgit v1.0-28-g1787