ahtlon/deck
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

fix: Further limit updating cards

Browse Source 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
This commit is contained in:
Julius Härtl
2024-01-04 14:01:24 +01:00
parent b812075e06
commit 23a0ec226b
3 changed files with 9 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
lib/Service/CardService.php
View File

@@ -1,4 +1,4 @@
<?php
lib/Service/CardService.php<?php
/**
* @copyright Copyright (c) 2016 Julius Härtl <jus@bitgrid.net>
*
@@ -264,7 +264,7 @@ class CardService {
public function update($id, $title, $stackId, $type, $owner, $description = '', $order = 0, $duedate = null, $deletedAt = null, $archived = null) {
$this->cardServiceValidator->check(compact('id', 'title', 'stackId', 'type', 'owner', 'order'));
$this->permissionService->checkPermission($this->cardMapper, $id, Acl::PERMISSION_EDIT);
$this->permissionService->checkPermission($this->cardMapper, $id, Acl::PERMISSION_EDIT, allowDeletedCard: true);
$this->permissionService->checkPermission($this->stackMapper, $stackId, Acl::PERMISSION_EDIT);
if ($this->boardService->isArchived($this->cardMapper, $id)) {
@@ -276,9 +276,9 @@ class CardService {
}
if ($card->getDeletedAt() !== 0) {
if ($deletedAt === null) {
if ($deletedAt === null || $deletedAt > 0) {
// Only allow operations when restoring the card
throw new StatusException('Operation not allowed. This card was deleted.');
throw new NoPermissionException('Operation not allowed. This card was deleted.');
}
}

1
tests/integration/features/bootstrap/BoardContext.php
View File

@@ -276,6 +276,7 @@ class BoardContext implements Context {
*/
public function deleteTheCard() {
$this->requestContext->sendJSONrequest('DELETE', '/index.php/apps/deck/cards/' . $this->card['id']);
$this->card['deletedAt'] = time();
}
/**

8
tests/integration/features/decks.feature
View File

@@ -126,7 +126,7 @@ Feature: decks
# We currently still expect to be able to update the card as this is used to undo deletion
When set the description to "Update some text"
Then the response should have a status code 403
#When set the card attribute "deletedAt" to "0"
#Then the response should have a status code 200
#When set the description to "Update some text"
#Then the response should have a status code 200
When set the card attribute "deletedAt" to "0"
Then the response should have a status code 200
When set the description to "Update some text"
Then the response should have a status code 200