From 272da5406a7c7750aa421ac469092a2ae32f7d6c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julius=20H=C3=A4rtl?= <jus@bitgrid.net>
Date: Thu, 4 Jan 2024 14:01:24 +0100
Subject: [PATCH] fix: Further limit updating cards
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Julius Härtl <jus@bitgrid.net>
---
 lib/Service/CardService.php                           | 8 ++++----
 tests/integration/features/bootstrap/BoardContext.php | 1 +
 tests/integration/features/decks.feature              | 8 ++++----
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/lib/Service/CardService.php b/lib/Service/CardService.php
index 717b0b15d..dc74a2fb2 100644
--- a/lib/Service/CardService.php
+++ b/lib/Service/CardService.php
@@ -1,4 +1,4 @@
-<?php
+lib/Service/CardService.php<?php
 /**
  * @copyright Copyright (c) 2016 Julius Härtl <jus@bitgrid.net>
  *
@@ -264,7 +264,7 @@ class CardService {
 	public function update($id, $title, $stackId, $type, $owner, $description = '', $order = 0, $duedate = null, $deletedAt = null, $archived = null) {
 		$this->cardServiceValidator->check(compact('id', 'title', 'stackId', 'type', 'owner', 'order'));
 
-		$this->permissionService->checkPermission($this->cardMapper, $id, Acl::PERMISSION_EDIT);
+		$this->permissionService->checkPermission($this->cardMapper, $id, Acl::PERMISSION_EDIT, allowDeletedCard: true);
 		$this->permissionService->checkPermission($this->stackMapper, $stackId, Acl::PERMISSION_EDIT);
 
 		if ($this->boardService->isArchived($this->cardMapper, $id)) {
@@ -276,9 +276,9 @@ class CardService {
 		}
 
 		if ($card->getDeletedAt() !== 0) {
-			if ($deletedAt === null) {
+			if ($deletedAt === null || $deletedAt > 0) {
 				// Only allow operations when restoring the card
-				throw new StatusException('Operation not allowed. This card was deleted.');
+				throw new NoPermissionException('Operation not allowed. This card was deleted.');
 			}
 		}
 
diff --git a/tests/integration/features/bootstrap/BoardContext.php b/tests/integration/features/bootstrap/BoardContext.php
index fdd985d27..20b6188c6 100644
--- a/tests/integration/features/bootstrap/BoardContext.php
+++ b/tests/integration/features/bootstrap/BoardContext.php
@@ -276,6 +276,7 @@ class BoardContext implements Context {
 	 */
 	public function deleteTheCard() {
 		$this->requestContext->sendJSONrequest('DELETE', '/index.php/apps/deck/cards/' . $this->card['id']);
+		$this->card['deletedAt'] = time();
 	}
 
 	/**
diff --git a/tests/integration/features/decks.feature b/tests/integration/features/decks.feature
index 3582af430..9656c2a23 100644
--- a/tests/integration/features/decks.feature
+++ b/tests/integration/features/decks.feature
@@ -126,7 +126,7 @@ Feature: decks
 		# We currently still expect to be able to update the card as this is used to undo deletion
 		When set the description to "Update some text"
 		Then the response should have a status code 403
-		#When set the card attribute "deletedAt" to "0"
-		#Then the response should have a status code 200
-		#When set the description to "Update some text"
-		#Then the response should have a status code 200
+		When set the card attribute "deletedAt" to "0"
+		Then the response should have a status code 200
+		When set the description to "Update some text"
+		Then the response should have a status code 200