From 2a4b0a3ed3e1ddd7a5905460a81d20d8439621b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakob=20R=C3=B6hrl?= <jakob.roehrl@web.de>
Date: Wed, 2 Sep 2020 08:40:19 +0200
Subject: [PATCH] security and api
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jakob Röhrl <jakob.roehrl@web.de>
---
 docs/API.md                    | 13 +++++++++++++
 lib/Service/StackService.php   |  7 ++++++-
 src/components/board/Stack.vue |  4 ++--
 3 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/docs/API.md b/docs/API.md
index 97db2c0bb..02e0c8ed6 100644
--- a/docs/API.md
+++ b/docs/API.md
@@ -502,6 +502,19 @@ The board list endpoint supports setting an `If-Modified-Since` header to limit
 | stackId   | Integer | The id of the stack                      |
 
 #### Response
+It will return an object of the new stack containing the new cards as well.
+
+```json
+  {"title":"l1 (copy)",
+  "boardId":6,
+  "deletedAt":0,
+  "lastModified":0,
+  "cards":
+    [{"title":"ME","description":"123","stackId":73,"type":"plain","lastModified":1599028559,"lastEditor":null,"createdAt":1599028559,"labels":[],"assignedUsers":[],"attachments":null,"attachmentCount":0,"owner":{"primaryKey":"root","uid":"root","displayname":"root","type":0},"order":0,"archived":false,"duedate":null,"deletedAt":0,"commentsUnread":0,"id":109,"overdue":0},
+    {"title":"ka","description":"","stackId":73,"type":"plain","lastModified":1599028559,"lastEditor":null,"createdAt":1599028559,"labels":[],"assignedUsers":[],"attachments":null,"attachmentCount":0,"owner":{"primaryKey":"root","uid":"root","displayname":"root","type":0},"order":1,"archived":false,"duedate":"2020-08-26T22:00:00+00:00","deletedAt":0,"commentsUnread":0,"id":110,"overdue":3}],
+  "order":999,
+  "id":73}
+```
 
 ##### 200 Success
 
diff --git a/lib/Service/StackService.php b/lib/Service/StackService.php
index 7cd0e2b12..33606ec6d 100644
--- a/lib/Service/StackService.php
+++ b/lib/Service/StackService.php
@@ -393,6 +393,8 @@ class StackService {
 		}
 
 		$this->permissionService->checkPermission(null, $boardId, Acl::PERMISSION_MANAGE);
+		$this->permissionService->checkPermission(null, $boardId, Acl::PERMISSION_READ);
+
 		if ($this->boardService->isArchived(null, $boardId)) {
 			throw new StatusException('Operation not allowed. This board is archived.');
 		}
@@ -400,6 +402,10 @@ class StackService {
 		$stack = $this->stackMapper->find($id);
 		$board = $this->boardMapper->find($boardId);
 
+		if ($stack->getBoardId() !== $board->getId()) {
+			throw new StatusException('Operation not allowed. Stack is not part of this board');
+		}
+
 
 		$newStack = new Stack();
 		$newStack->setTitle($stack->getTitle() . ' (' . $this->l10n->t('copy') . ')');
@@ -418,7 +424,6 @@ class StackService {
 		);
 
 		$cards = $this->cardMapper->findAll($id);
-		$newCardArray = [];
 		foreach ($cards as $card) {
 
 			$newCard = new Card();
diff --git a/src/components/board/Stack.vue b/src/components/board/Stack.vue
index 70d8823a1..6377df3a9 100644
--- a/src/components/board/Stack.vue
+++ b/src/components/board/Stack.vue
@@ -43,10 +43,10 @@
 				</form>
 			</transition>
 			<Actions v-if="!isArchived" :force-menu="true">
-				<ActionButton v-if="canManage" icon="icon-archive" @click="modalArchivAllCardsShow=true">
+				<ActionButton v-if="canEdit" icon="icon-archive" @click="modalArchivAllCardsShow=true">
 					{{ t('deck', 'Archive all cards') }}
 				</ActionButton>
-				<ActionButton v-if="canEdit" icon="icon-clone" @click="cloneStack(stack)">
+				<ActionButton v-if="canManage" icon="icon-clone" @click="cloneStack(stack)">
 					{{ t('deck', 'Clone list') }}
 				</ActionButton>
 				<ActionButton v-if="canManage" icon="icon-delete" @click="deleteStack(stack)">