ahtlon/deck
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

fix: Further limit updating cards

Browse Source 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
This commit is contained in:
Julius Härtl
2024-01-04 14:01:24 +01:00
parent b812075e06
commit 23a0ec226b
3 changed files with 9 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
lib/Service/CardService.php
View File

@@ -1,4 +1,4 @@
<?php lib/Service/CardService.php<?php
/** /**
* @copyright Copyright (c) 2016 Julius Härtl <jus@bitgrid.net> * @copyright Copyright (c) 2016 Julius Härtl <jus@bitgrid.net>
* *
@@ -264,7 +264,7 @@ class CardService {
public function update($id, $title, $stackId, $type, $owner, $description = '', $order = 0, $duedate = null, $deletedAt = null, $archived = null) { public function update($id, $title, $stackId, $type, $owner, $description = '', $order = 0, $duedate = null, $deletedAt = null, $archived = null) {
$this->cardServiceValidator->check(compact('id', 'title', 'stackId', 'type', 'owner', 'order')); $this->cardServiceValidator->check(compact('id', 'title', 'stackId', 'type', 'owner', 'order'));
$this->permissionService->checkPermission($this->cardMapper, $id, Acl::PERMISSION_EDIT); $this->permissionService->checkPermission($this->cardMapper, $id, Acl::PERMISSION_EDIT, allowDeletedCard: true);
$this->permissionService->checkPermission($this->stackMapper, $stackId, Acl::PERMISSION_EDIT); $this->permissionService->checkPermission($this->stackMapper, $stackId, Acl::PERMISSION_EDIT);
if ($this->boardService->isArchived($this->cardMapper, $id)) { if ($this->boardService->isArchived($this->cardMapper, $id)) {
@@ -276,9 +276,9 @@ class CardService {
} }
if ($card->getDeletedAt() !== 0) { if ($card->getDeletedAt() !== 0) {
if ($deletedAt === null) { if ($deletedAt === null || $deletedAt > 0) {
// Only allow operations when restoring the card // Only allow operations when restoring the card
throw new StatusException('Operation not allowed. This card was deleted.'); throw new NoPermissionException('Operation not allowed. This card was deleted.');
} }
} }

1
tests/integration/features/bootstrap/BoardContext.php
View File

@@ -276,6 +276,7 @@ class BoardContext implements Context {
*/ */
public function deleteTheCard() { public function deleteTheCard() {
$this->requestContext->sendJSONrequest('DELETE', '/index.php/apps/deck/cards/' . $this->card['id']); $this->requestContext->sendJSONrequest('DELETE', '/index.php/apps/deck/cards/' . $this->card['id']);
$this->card['deletedAt'] = time();
} }
/** /**

8
tests/integration/features/decks.feature
View File

@@ -126,7 +126,7 @@ Feature: decks
# We currently still expect to be able to update the card as this is used to undo deletion # We currently still expect to be able to update the card as this is used to undo deletion
When set the description to "Update some text" When set the description to "Update some text"
Then the response should have a status code 403 Then the response should have a status code 403
#When set the card attribute "deletedAt" to "0" When set the card attribute "deletedAt" to "0"
#Then the response should have a status code 200 Then the response should have a status code 200
#When set the description to "Update some text" When set the description to "Update some text"
#Then the response should have a status code 200 Then the response should have a status code 200