check access rights in controller, not before

2025-10-30 20:51:22 +00:00 · 2017-01-10 06:58:07 +01:00 · 2017-01-10 06:58:07 +01:00 · b27b8ba7fd
commit b27b8ba7fd
parent 5584cedce3
2 changed files with 5 additions and 5 deletions
--- a/controllers/class.AddDocument.php
+++ b/controllers/class.AddDocument.php
@ -86,10 +86,12 @@ class SeedDMS_Controller_AddDocument extends SeedDMS_Controller_Common {
 			}
 			/* Check if additional notification shall be added */
 			foreach($notificationusers as $notuser) {
+				if($document->getAccessMode($user) >= M_READ)
 					$res = $document->addNotify($notuser->getID(), true);
 			}
 			foreach($notificationgroups as $notgroup) {
-				$res = $document->addNotify($notgroup->getID(), false);
+				if($document->getGroupAccessMode($notgroup) >= M_READ)
+					$res = $document->addNotify($notgroup->getID(), false);
 			}

 			if(!$this->callHook('postAddDocument', $document)) {
--- a/op/op.AddDocument.php
+++ b/op/op.AddDocument.php
@ -299,8 +299,7 @@ if(!empty($_POST['notification_users'])) {
 	foreach($_POST['notification_users'] as $notuserid) {
 		$notuser = $dms->getUser($notuserid);
 		if($notuser) {
-			if($document->getAccessMode($user) >= M_READ)
-				$notusers[] = $notuser;
+			$notusers[] = $notuser;
 		}
 	}
 }
@ -309,8 +308,7 @@ if(!empty($_POST['notification_groups'])) {
 	foreach($_POST['notification_groups'] as $notgroupid) {
 		$notgroup = $dms->getGroup($notgroupid);
 		if($notgroup) {
-			if($document->getGroupAccessMode($notgroup) >= M_READ)
-				$notgroups[] = $notgroup;
+			$notgroups[] = $notgroup;
 		}
 	}
 }