From d8c3cc4c84dee34eed3eee0807331249bacc8c13 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julien=20Fastr=C3=A9?= <julien.fastre@champs-libres.coop>
Date: Tue, 17 Jul 2018 11:34:37 +0200
Subject: [PATCH] set ACL only if page is shown

---
 Controller/TaskController.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Controller/TaskController.php b/Controller/TaskController.php
index a54964574..3fc3f1dee 100644
--- a/Controller/TaskController.php
+++ b/Controller/TaskController.php
@@ -84,10 +84,6 @@ class TaskController extends Controller
                             return $t->getName() === $transition;
                         }
                      ))[0];
-
-        // we simply check that the user can see the task. Other ACL checks
-        // should be performed using `guard` events.
-        $this->denyAccessUnlessGranted(TaskVoter::SHOW, $task);
         
         $form = $this->createTransitionForm($task);
         
@@ -118,6 +114,10 @@ class TaskController extends Controller
             if ($event->hasResponse()) {
                 return $event->getResponse();
             } else {
+                // we simply check that the user can see the task. Other ACL checks
+                // should be performed using `guard` events.
+                $this->denyAccessUnlessGranted(TaskVoter::SHOW, $task);
+                
                 return $this->render($defaultTemplate, [
                     'task' => $task,
                     'form' => $form->createView(),