ahtlon/deck
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Merge pull request #6953 from nextcloud/backport/6933/stable30

Browse Source 
[stable30] fix: Limit label actions to labels of the cards board
This commit is contained in:
Julius Knorr
2025-04-29 12:30:49 +02:00
committed by GitHub
parent 508cf46909 4b17dc9813
commit 2fde8eaf2e
3 changed files with 30 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
lib/Service/CardService.php
View File

@@ -600,8 +600,9 @@ class CardService {
public function assignLabel($cardId, $labelId) { public function assignLabel($cardId, $labelId) {
$this->cardServiceValidator->check(compact('cardId', 'labelId')); $this->cardServiceValidator->check(compact('cardId', 'labelId'));
$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_EDIT); $this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_EDIT);
$this->permissionService->checkPermission($this->labelMapper, $labelId, Acl::PERMISSION_READ);
if ($this->boardService->isArchived($this->cardMapper, $cardId)) { if ($this->boardService->isArchived($this->cardMapper, $cardId)) {
throw new StatusException('Operation not allowed. This board is archived.'); throw new StatusException('Operation not allowed. This board is archived.');
} }
@@ -610,6 +611,9 @@ class CardService {
throw new StatusException('Operation not allowed. This card is archived.'); throw new StatusException('Operation not allowed. This card is archived.');
} }
$label = $this->labelMapper->find($labelId); $label = $this->labelMapper->find($labelId);
if ($label->getBoardId() !== $this->cardMapper->findBoardId($card->getId())) {
throw new StatusException('Operation not allowed. Label does not exist.');
}
$this->cardMapper->assignLabel($cardId, $labelId); $this->cardMapper->assignLabel($cardId, $labelId);
$this->changeHelper->cardChanged($cardId); $this->changeHelper->cardChanged($cardId);
$this->activityManager->triggerEvent(ActivityManager::DECK_OBJECT_CARD, $card, ActivityManager::SUBJECT_LABEL_ASSIGN, ['label' => $label]); $this->activityManager->triggerEvent(ActivityManager::DECK_OBJECT_CARD, $card, ActivityManager::SUBJECT_LABEL_ASSIGN, ['label' => $label]);
@@ -631,6 +635,8 @@ class CardService {
$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_EDIT); $this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_EDIT);
$this->permissionService->checkPermission($this->labelMapper, $labelId, Acl::PERMISSION_READ);
if ($this->boardService->isArchived($this->cardMapper, $cardId)) { if ($this->boardService->isArchived($this->cardMapper, $cardId)) {
throw new StatusException('Operation not allowed. This board is archived.'); throw new StatusException('Operation not allowed. This board is archived.');
} }
@@ -639,6 +645,9 @@ class CardService {
throw new StatusException('Operation not allowed. This card is archived.'); throw new StatusException('Operation not allowed. This card is archived.');
} }
$label = $this->labelMapper->find($labelId); $label = $this->labelMapper->find($labelId);
if ($label->getBoardId() !== $this->cardMapper->findBoardId($card->getId())) {
throw new StatusException('Operation not allowed. Label does not exist.');
}
$this->cardMapper->removeLabel($cardId, $labelId); $this->cardMapper->removeLabel($cardId, $labelId);
$this->changeHelper->cardChanged($cardId); $this->changeHelper->cardChanged($cardId);
$this->activityManager->triggerEvent(ActivityManager::DECK_OBJECT_CARD, $card, ActivityManager::SUBJECT_LABEL_UNASSING, ['label' => $label]); $this->activityManager->triggerEvent(ActivityManager::DECK_OBJECT_CARD, $card, ActivityManager::SUBJECT_LABEL_UNASSING, ['label' => $label]);

2
tests/integration/base-query-count.txt
View File

@@ -1 +1 @@
71452 71618

19
tests/unit/Service/CardServiceTest.php
View File

@@ -31,6 +31,7 @@ use OCA\Deck\Db\BoardMapper;
use OCA\Deck\Db\Card; use OCA\Deck\Db\Card;
use OCA\Deck\Db\CardMapper; use OCA\Deck\Db\CardMapper;
use OCA\Deck\Db\ChangeHelper; use OCA\Deck\Db\ChangeHelper;
use OCA\Deck\Db\Label;
use OCA\Deck\Db\LabelMapper; use OCA\Deck\Db\LabelMapper;
use OCA\Deck\Db\Stack; use OCA\Deck\Db\Stack;
use OCA\Deck\Db\StackMapper; use OCA\Deck\Db\StackMapper;
@@ -347,8 +348,17 @@ class CardServiceTest extends TestCase {
public function testAssignLabel() { public function testAssignLabel() {
$card = new Card(); $card = new Card();
$card->setArchived(false); $card->setArchived(false);
$card->setId(123);
$label = new Label();
$label->setBoardId(1);
$this->cardMapper->expects($this->once())->method('find')->willReturn($card); $this->cardMapper->expects($this->once())->method('find')->willReturn($card);
$this->cardMapper->expects($this->once())->method('assignLabel'); $this->cardMapper->expects($this->once())->method('assignLabel');
$this->cardMapper->expects($this->once())
->method('findBoardId')
->willReturn(1);
$this->labelMapper->expects($this->once())
->method('find')
->willReturn($label);
$this->cardService->assignLabel(123, 999); $this->cardService->assignLabel(123, 999);
} }
@@ -364,8 +374,17 @@ class CardServiceTest extends TestCase {
public function testRemoveLabel() { public function testRemoveLabel() {
$card = new Card(); $card = new Card();
$card->setArchived(false); $card->setArchived(false);
$card->setId(123);
$label = new Label();
$label->setBoardId(1);
$this->cardMapper->expects($this->once())->method('find')->willReturn($card); $this->cardMapper->expects($this->once())->method('find')->willReturn($card);
$this->cardMapper->expects($this->once())->method('removeLabel'); $this->cardMapper->expects($this->once())->method('removeLabel');
$this->cardMapper->expects($this->once())
->method('findBoardId')
->willReturn(1);
$this->labelMapper->expects($this->once())
->method('find')
->willReturn($label);
$this->cardService->removeLabel(123, 999); $this->cardService->removeLabel(123, 999);
} }