From 0e7b3b17ddfabecc12dc6b1694480139a55cdf0b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julius=20H=C3=A4rtl?= <jus@bitgrid.net>
Date: Fri, 7 Feb 2020 16:51:24 +0100
Subject: [PATCH] Check for board membership on comments entity event
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Julius Härtl <jus@bitgrid.net>
---
 lib/AppInfo/Application.php | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/lib/AppInfo/Application.php b/lib/AppInfo/Application.php
index 1fbb59439..935fa7599 100644
--- a/lib/AppInfo/Application.php
+++ b/lib/AppInfo/Application.php
@@ -38,6 +38,7 @@ use OCA\Deck\Middleware\DefaultBoardMiddleware;
 use OCA\Deck\Middleware\ExceptionMiddleware;
 use OCA\Deck\Notification\Notifier;
 use OCA\Deck\Service\FullTextSearchService;
+use OCA\Deck\Service\PermissionService;
 use OCP\AppFramework\App;
 use OCP\Collaboration\Resources\IManager;
 use OCP\Collaboration\Resources\IProviderManager;
@@ -150,13 +151,14 @@ class Application extends App {
 		$this->server->getEventDispatcher()->addListener(CommentsEntityEvent::EVENT_ENTITY, function(CommentsEntityEvent $event) {
 			$event->addEntityCollection('deckCard', function($name) {
 				/** @var CardMapper */
-				$service = $this->getContainer()->query(CardMapper::class);
+				$cardMapper = $this->getContainer()->query(CardMapper::class);
+				$permissionService = $this->getContainer()->query(PermissionService::class);
+
 				try {
-					$service->find((int) $name);
-				} catch (InvalidArgumentException $e) {
+					return $permissionService->checkPermission($cardMapper, (int) $name, Acl::PERMISSION_READ);
+				} catch (\Exception $e) {
 					return false;
 				}
-				return true;
 			});
 		});
 		$this->registerCommentsEventHandler();