ahtlon/deck
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Fix not found acls and cleanup mappers

Browse Source
This commit is contained in:
Julius Haertl
2016-10-28 00:03:00 +02:00
parent 33714da18d
commit 1167ca14a8
7 changed files with 22 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/Db/AclMapper.php
View File

@@ -42,7 +42,7 @@ class AclMapper extends DeckMapper implements IPermissionMapper {
}
public function isOwner($userId, $aclId) {
$sql = 'SELECT * FROM `*PREFIX*deck_boards` WHERE `id` IN (SELECT board_id FROM `*PREFIX*deck_board_acl` WHERE id = ?)';
$sql = 'SELECT owner FROM `*PREFIX*deck_boards` WHERE `id` IN (SELECT board_id FROM `*PREFIX*deck_board_acl` WHERE id = ?)';
$stmt = $this->execute($sql, [$aclId]);
$row = $stmt->fetch();
return ($row['owner'] === $userId);

19
lib/Db/BoardMapper.php
View File

@@ -131,25 +131,6 @@ class BoardMapper extends DeckMapper implements IPermissionMapper {
return parent::delete($entity);
}
public function userCanView($boardId, $userInfo) {
$board = $this->find($boardId);
if($board->getOwner()===$userInfo['user']) {
return true;
}
try {
$sql = 'SELECT acl.* FROM oc_deck_boards as boards ' .
'JOIN oc_deck_board_acl as acl ON boards.id=acl.board_id WHERE acl.participant=? AND acl.type=\'user\' AND boards.id = ? AND boards.owner != ?';
$acl = $this->find($sql, [$userInfo['user'], $boardId, $userInfo['user']], $limit, $offset);
return true;
} catch (Exception $e) { }
try {
$acl = $this->find($sql, [$userInfo['user'], $boardId, $userInfo['user']], $limit, $offset);
return true;
} catch (Exception $e) {
}
}
public function isOwner($userId, $boardId) {
$board = $this->find($boardId);
return ($board->getOwner() === $userId);

4
lib/Db/CardMapper.php
View File

@@ -120,14 +120,14 @@ class CardMapper extends Mapper implements IPermissionMapper {
}
public function isOwner($userId, $cardId) {
$sql = 'SELECT * FROM `*PREFIX*deck_boards` WHERE `id` IN (SELECT board_id FROM `*PREFIX*deck_stacks` WHERE id IN (SELECT stack_id FROM `*PREFIX*deck_cards` WHERE id = ?))';
$sql = 'SELECT owner FROM `*PREFIX*deck_boards` WHERE `id` IN (SELECT board_id FROM `*PREFIX*deck_stacks` WHERE id IN (SELECT stack_id FROM `*PREFIX*deck_cards` WHERE id = ?))';
$stmt = $this->execute($sql, [$cardId]);
$row = $stmt->fetch();
return ($row['owner'] === $userId);
}
public function findBoardId($cardId) {
$sql = 'SELECT * FROM `*PREFIX*deck_boards` WHERE `id` IN (SELECT board_id FROM `*PREFIX*deck_stacks` WHERE id IN (SELECT stack_id FROM `*PREFIX*deck_cards` WHERE id = ?))';
$sql = 'SELECT id FROM `*PREFIX*deck_boards` WHERE `id` IN (SELECT board_id FROM `*PREFIX*deck_stacks` WHERE id IN (SELECT stack_id FROM `*PREFIX*deck_cards` WHERE id = ?))';
$stmt = $this->execute($sql, [$cardId]);
$row = $stmt->fetch();
return $row['id'];

3
lib/Db/LabelMapper.php
View File

@@ -25,7 +25,6 @@ namespace OCA\Deck\Db;
use OCP\AppFramework\Db\Entity;
use OCP\IDb;
use OCP\AppFramework\Db\Mapper;
class LabelMapper extends DeckMapper implements IPermissionMapper {
@@ -84,7 +83,7 @@ class LabelMapper extends DeckMapper implements IPermissionMapper {
}
public function isOwner($userId, $labelId) {
$sql = 'SELECT * FROM `*PREFIX*deck_boards` WHERE `id` IN (SELECT board_id FROM `*PREFIX*deck_labels` WHERE id = ?)';
$sql = 'SELECT owner FROM `*PREFIX*deck_boards` WHERE `id` IN (SELECT board_id FROM `*PREFIX*deck_labels` WHERE id = ?)';
$stmt = $this->execute($sql, [$labelId]);
$row = $stmt->fetch();
return ($row['owner'] === $userId);

2
lib/Db/StackMapper.php
View File

@@ -62,7 +62,7 @@ class StackMapper extends Mapper implements IPermissionMapper {
}
public function isOwner($userId, $stackId) {
$sql = 'SELECT * FROM `*PREFIX*deck_boards` WHERE `id` IN (SELECT board_id FROM `*PREFIX*deck_stacks` WHERE id = ?)';
$sql = 'SELECT owner FROM `*PREFIX*deck_boards` WHERE `id` IN (SELECT board_id FROM `*PREFIX*deck_stacks` WHERE id = ?)';
$stmt = $this->execute($sql, [$stackId]);
$row = $stmt->fetch();
return ($row['owner'] === $userId);

20
lib/Middleware/SharingMiddleware.php
View File

@@ -29,6 +29,7 @@ use OCA\Deck\Controller\LabelController;
use OCA\Deck\Controller\PageController;
use OCA\Deck\Controller\ShareController;
use OCA\Deck\NoPermissionException;
use OCA\Deck\NotFoundException;
use \OCP\AppFramework\Middleware;
use OCP\IContainer;
use OCP\IRequest;
@@ -192,15 +193,18 @@ class SharingMiddleware extends Middleware {
* @return bool
*/
public function checkMapperPermission($permission, $userId, $mapper, $id) {
// FIXME: This fails with no permission if $id doesn't exist
// We need some fallback to doesn't exist here
// is owner
// check if current user is owner
if ($mapper->isOwner($userId, $id)) {
return true;
}
// check if is in acl
// find related board
$boardId = $mapper->findBoardId($id);
if(!$boardId) {
throw new NotFoundException("Entity not found");
}
// check if is in acl
$acls = $this->aclMapper->findAll($boardId);
// check for users
foreach ($acls as $acl) {
@@ -234,6 +238,12 @@ class SharingMiddleware extends Middleware {
"message" => $exception->getMessage()
], 401);
}
if (is_a($exception, '\OCA\Deck\NotFoundException')) {
return new JSONResponse([
"status" => 404,
"message" => $exception->getMessage()
], 404);
}
throw $exception;
}

7
lib/NotFoundException.php
View File

@@ -24,12 +24,9 @@
namespace OCA\Deck;
class NoPermissionException extends \Exception {
class NotFoundException extends \Exception {
public function __construct($message, $controller=null, $method=null) {
public function __construct($message) {
parent::__construct($message);
if($controller && $method) {
$this->message = get_class($controller) . "#" . $method . ": " . $message;
}
}
}