ahtlon/deck
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

fix(activity): Fix permission checks when rendering activities in background jobs

Browse Source 
Signed-off-by: Joas Schilling <coding@schilljs.com>
This commit is contained in:
Joas Schilling
2024-01-29 09:10:47 +01:00
parent bfe2a9053f
commit 16078a3dd3
2 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
lib/Activity/ActivityManager.php
View File

@@ -566,9 +566,9 @@ class ActivityManager {
]; ];
} }
public function canSeeCardActivity(int $cardId): bool { public function canSeeCardActivity(int $cardId, string $userId): bool {
try { try {
$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ); $this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ, $userId);
$card = $this->cardMapper->find($cardId); $card = $this->cardMapper->find($cardId);
return $card->getDeletedAt() === 0; return $card->getDeletedAt() === 0;
} catch (NoPermissionException $e) { } catch (NoPermissionException $e) {
@@ -576,9 +576,9 @@ class ActivityManager {
} }
} }
public function canSeeBoardActivity(int $boardId): bool { public function canSeeBoardActivity(int $boardId, string $userId): bool {
try { try {
$this->permissionService->checkPermission($this->boardMapper, $boardId, Acl::PERMISSION_READ); $this->permissionService->checkPermission($this->boardMapper, $boardId, Acl::PERMISSION_READ, $userId);
$board = $this->boardMapper->find($boardId); $board = $this->boardMapper->find($boardId);
return $board->getDeletedAt() === 0; return $board->getDeletedAt() === 0;
} catch (NoPermissionException $e) { } catch (NoPermissionException $e) {

4
lib/Activity/DeckProvider.php
View File

@@ -111,7 +111,7 @@ class DeckProvider implements IProvider {
$event->setAuthor($author); $event->setAuthor($author);
} }
if ($event->getObjectType() === ActivityManager::DECK_OBJECT_BOARD) { if ($event->getObjectType() === ActivityManager::DECK_OBJECT_BOARD) {
if (!$this->activityManager->canSeeBoardActivity($event->getObjectId())) { if (!$this->activityManager->canSeeBoardActivity($event->getObjectId(), $event->getAffectedUser())) {
throw new \InvalidArgumentException(); throw new \InvalidArgumentException();
} }
if (isset($subjectParams['board']) && $event->getObjectName() === '') { if (isset($subjectParams['board']) && $event->getObjectName() === '') {
@@ -128,7 +128,7 @@ class DeckProvider implements IProvider {
} }
if (isset($subjectParams['card']) && $event->getObjectType() === ActivityManager::DECK_OBJECT_CARD) { if (isset($subjectParams['card']) && $event->getObjectType() === ActivityManager::DECK_OBJECT_CARD) {
if (!$this->activityManager->canSeeCardActivity($event->getObjectId())) { if (!$this->activityManager->canSeeCardActivity($event->getObjectId(), $event->getAffectedUser())) {
throw new \InvalidArgumentException(); throw new \InvalidArgumentException();
} }
if ($event->getObjectName() === '') { if ($event->getObjectName() === '') {