From e5c464f205ee0586f857026f3e41ff4bd5694785 Mon Sep 17 00:00:00 2001
From: Tan Jiang <jiangd@vmware.com>
Date: Wed, 14 Sep 2016 15:25:16 +0800
Subject: [PATCH] fix #801

---
 api/project.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/api/project.go b/api/project.go
index 09689a500..92eb543d7 100644
--- a/api/project.go
+++ b/api/project.go
@@ -338,6 +338,11 @@ func (p *ProjectAPI) FilterAccessLog() {
 	var query models.AccessLog
 	p.DecodeJSONReq(&query)
 
+	if !checkProjectPermission(p.userID, p.projectID) {
+		log.Warningf("Current user, user id: %d does not have permission to read accesslog of project, id: %d", p.userID, p.projectID)
+		p.RenderError(http.StatusForbidden, "")
+		return
+	}
 	query.ProjectID = p.projectID
 	query.BeginTime = time.Unix(query.BeginTimestamp, 0)
 	query.EndTime = time.Unix(query.EndTimestamp, 0)