From 295425e791d7d7eb26f5a00715b3fc0ac7581f1f Mon Sep 17 00:00:00 2001
From: Shane Kilkelly <shane@kilkelly.me>
Date: Wed, 23 May 2018 11:34:55 +0100
Subject: [PATCH] Check that user can read a project on entities-json route

---
 services/web/app/coffee/router.coffee | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/services/web/app/coffee/router.coffee b/services/web/app/coffee/router.coffee
index 66e359e98f..7b0d11863b 100644
--- a/services/web/app/coffee/router.coffee
+++ b/services/web/app/coffee/router.coffee
@@ -120,7 +120,9 @@ module.exports = class Router
 		privateApiRouter.get  '/user/:user_id/personal_info', AuthenticationController.httpAuth, UserInfoController.getPersonalInfo
 
 		webRouter.get  '/user/projects', AuthenticationController.requireLogin(), ProjectController.userProjectsJson
-		webRouter.get  '/project/:Project_id/entities', AuthenticationController.requireLogin(), ProjectController.projectEntitiesJson
+		webRouter.get  '/project/:Project_id/entities', AuthenticationController.requireLogin(),
+			AuthorizationMiddlewear.ensureUserCanReadProject
+			ProjectController.projectEntitiesJson
 
 		webRouter.get  '/project', AuthenticationController.requireLogin(), ProjectController.projectListPage
 		webRouter.post '/project/new', AuthenticationController.requireLogin(), ProjectController.newProject