From c26f9ef6c5867a1a46318e8e9f5c6c2d15ec0ff9 Mon Sep 17 00:00:00 2001
From: André Bernardes <andrebsguedes@gmail.com>
Date: Mon, 29 Jun 2015 18:10:01 -0300
Subject: [PATCH] Fixing permissions when target is not a person

---
 lib/noosfero/api/helpers.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/noosfero/api/helpers.rb b/lib/noosfero/api/helpers.rb
index 9030f6c..6d15eb8 100644
--- a/lib/noosfero/api/helpers.rb
+++ b/lib/noosfero/api/helpers.rb
@@ -112,7 +112,8 @@ module Noosfero
 
       def present_tasks(asset)
         tasks = select_filtered_collection_of(asset, 'tasks', params)
-        tasks = tasks.select {|t| t.display_to?(current_user.person)}
+        tasks = tasks.select {|t| current_person.has_permission?(t.permission, asset)}
+        return forbidden! if tasks.empty? && !current_person.has_permission?(:perform_task, asset)
         present tasks, :with => Entities::Task, :fields => params[:fields]
       end
 
--
libgit2 0.21.2