public function execute($task) { // If we're using the JSON API we need a manager $format = $this->input->getCmd('format', 'html'); if ($format == 'json' && !($this->checkACL('core.manage') || $this->checkACL('core.admin'))) { throw new \RuntimeException(\JText::_('JLIB_APPLICATION_ERROR_ACCESS_FORBIDDEN'), 403); } // For the HTML view we only allow browse and download if ($format != 'json') { if (!in_array($task, ['browse', 'download'])) { $task = 'browse'; } } return parent::execute($task); }