diff --git a/lib/Db/AclMapper.php b/lib/Db/AclMapper.php index c0cd89cea..d08353561 100644 --- a/lib/Db/AclMapper.php +++ b/lib/Db/AclMapper.php @@ -42,7 +42,7 @@ class AclMapper extends DeckMapper implements IPermissionMapper { } public function isOwner($userId, $aclId) { - $sql = 'SELECT * FROM `*PREFIX*deck_boards` WHERE `id` IN (SELECT board_id FROM `*PREFIX*deck_board_acl` WHERE id = ?)'; + $sql = 'SELECT owner FROM `*PREFIX*deck_boards` WHERE `id` IN (SELECT board_id FROM `*PREFIX*deck_board_acl` WHERE id = ?)'; $stmt = $this->execute($sql, [$aclId]); $row = $stmt->fetch(); return ($row['owner'] === $userId); diff --git a/lib/Db/BoardMapper.php b/lib/Db/BoardMapper.php index 60f84917f..3499a1065 100644 --- a/lib/Db/BoardMapper.php +++ b/lib/Db/BoardMapper.php @@ -131,25 +131,6 @@ class BoardMapper extends DeckMapper implements IPermissionMapper { return parent::delete($entity); } - public function userCanView($boardId, $userInfo) { - $board = $this->find($boardId); - if($board->getOwner()===$userInfo['user']) { - return true; - } - try { - $sql = 'SELECT acl.* FROM oc_deck_boards as boards ' . - 'JOIN oc_deck_board_acl as acl ON boards.id=acl.board_id WHERE acl.participant=? AND acl.type=\'user\' AND boards.id = ? AND boards.owner != ?'; - $acl = $this->find($sql, [$userInfo['user'], $boardId, $userInfo['user']], $limit, $offset); - return true; - } catch (Exception $e) { } - try { - $acl = $this->find($sql, [$userInfo['user'], $boardId, $userInfo['user']], $limit, $offset); - return true; - } catch (Exception $e) { - } - - } - public function isOwner($userId, $boardId) { $board = $this->find($boardId); return ($board->getOwner() === $userId); diff --git a/lib/Db/CardMapper.php b/lib/Db/CardMapper.php index 3863f8c4c..b5df682f3 100644 --- a/lib/Db/CardMapper.php +++ b/lib/Db/CardMapper.php @@ -120,14 +120,14 @@ class CardMapper extends Mapper implements IPermissionMapper { } public function isOwner($userId, $cardId) { - $sql = 'SELECT * FROM `*PREFIX*deck_boards` WHERE `id` IN (SELECT board_id FROM `*PREFIX*deck_stacks` WHERE id IN (SELECT stack_id FROM `*PREFIX*deck_cards` WHERE id = ?))'; + $sql = 'SELECT owner FROM `*PREFIX*deck_boards` WHERE `id` IN (SELECT board_id FROM `*PREFIX*deck_stacks` WHERE id IN (SELECT stack_id FROM `*PREFIX*deck_cards` WHERE id = ?))'; $stmt = $this->execute($sql, [$cardId]); $row = $stmt->fetch(); return ($row['owner'] === $userId); } public function findBoardId($cardId) { - $sql = 'SELECT * FROM `*PREFIX*deck_boards` WHERE `id` IN (SELECT board_id FROM `*PREFIX*deck_stacks` WHERE id IN (SELECT stack_id FROM `*PREFIX*deck_cards` WHERE id = ?))'; + $sql = 'SELECT id FROM `*PREFIX*deck_boards` WHERE `id` IN (SELECT board_id FROM `*PREFIX*deck_stacks` WHERE id IN (SELECT stack_id FROM `*PREFIX*deck_cards` WHERE id = ?))'; $stmt = $this->execute($sql, [$cardId]); $row = $stmt->fetch(); return $row['id']; diff --git a/lib/Db/LabelMapper.php b/lib/Db/LabelMapper.php index 6c13b598b..34036474a 100644 --- a/lib/Db/LabelMapper.php +++ b/lib/Db/LabelMapper.php @@ -25,7 +25,6 @@ namespace OCA\Deck\Db; use OCP\AppFramework\Db\Entity; use OCP\IDb; -use OCP\AppFramework\Db\Mapper; class LabelMapper extends DeckMapper implements IPermissionMapper { @@ -84,7 +83,7 @@ class LabelMapper extends DeckMapper implements IPermissionMapper { } public function isOwner($userId, $labelId) { - $sql = 'SELECT * FROM `*PREFIX*deck_boards` WHERE `id` IN (SELECT board_id FROM `*PREFIX*deck_labels` WHERE id = ?)'; + $sql = 'SELECT owner FROM `*PREFIX*deck_boards` WHERE `id` IN (SELECT board_id FROM `*PREFIX*deck_labels` WHERE id = ?)'; $stmt = $this->execute($sql, [$labelId]); $row = $stmt->fetch(); return ($row['owner'] === $userId); diff --git a/lib/Db/StackMapper.php b/lib/Db/StackMapper.php index a07b9e4c8..e8ba0e86e 100644 --- a/lib/Db/StackMapper.php +++ b/lib/Db/StackMapper.php @@ -62,7 +62,7 @@ class StackMapper extends Mapper implements IPermissionMapper { } public function isOwner($userId, $stackId) { - $sql = 'SELECT * FROM `*PREFIX*deck_boards` WHERE `id` IN (SELECT board_id FROM `*PREFIX*deck_stacks` WHERE id = ?)'; + $sql = 'SELECT owner FROM `*PREFIX*deck_boards` WHERE `id` IN (SELECT board_id FROM `*PREFIX*deck_stacks` WHERE id = ?)'; $stmt = $this->execute($sql, [$stackId]); $row = $stmt->fetch(); return ($row['owner'] === $userId); diff --git a/lib/Middleware/SharingMiddleware.php b/lib/Middleware/SharingMiddleware.php index 3a5cc3141..5d057b8c1 100644 --- a/lib/Middleware/SharingMiddleware.php +++ b/lib/Middleware/SharingMiddleware.php @@ -29,6 +29,7 @@ use OCA\Deck\Controller\LabelController; use OCA\Deck\Controller\PageController; use OCA\Deck\Controller\ShareController; use OCA\Deck\NoPermissionException; +use OCA\Deck\NotFoundException; use \OCP\AppFramework\Middleware; use OCP\IContainer; use OCP\IRequest; @@ -192,15 +193,18 @@ class SharingMiddleware extends Middleware { * @return bool */ public function checkMapperPermission($permission, $userId, $mapper, $id) { - // FIXME: This fails with no permission if $id doesn't exist - // We need some fallback to doesn't exist here - - // is owner + // check if current user is owner if ($mapper->isOwner($userId, $id)) { return true; } - // check if is in acl + + // find related board $boardId = $mapper->findBoardId($id); + if(!$boardId) { + throw new NotFoundException("Entity not found"); + } + // check if is in acl + $acls = $this->aclMapper->findAll($boardId); // check for users foreach ($acls as $acl) { @@ -234,6 +238,12 @@ class SharingMiddleware extends Middleware { "message" => $exception->getMessage() ], 401); } + if (is_a($exception, '\OCA\Deck\NotFoundException')) { + return new JSONResponse([ + "status" => 404, + "message" => $exception->getMessage() + ], 404); + } throw $exception; } diff --git a/lib/NotFoundException.php b/lib/NotFoundException.php index f48e979fd..90f2d9558 100644 --- a/lib/NotFoundException.php +++ b/lib/NotFoundException.php @@ -24,12 +24,9 @@ namespace OCA\Deck; -class NoPermissionException extends \Exception { +class NotFoundException extends \Exception { - public function __construct($message, $controller=null, $method=null) { + public function __construct($message) { parent::__construct($message); - if($controller && $method) { - $this->message = get_class($controller) . "#" . $method . ": " . $message; - } } } \ No newline at end of file