fix: Limit card activities for deleted cards
Signed-off-by: Julius Härtl <jus@bitgrid.net>
This commit is contained in:
Julius Härtl
@@ -38,6 +38,7 @@ use OCA\Deck\Db\CardMapper;
|
||||
use OCA\Deck\Db\Label;
|
||||
use OCA\Deck\Db\Stack;
|
||||
use OCA\Deck\Db\StackMapper;
|
||||
use OCA\Deck\NoPermissionException;
|
||||
use OCA\Deck\Service\PermissionService;
|
||||
use OCP\Activity\IEvent;
|
||||
use OCP\Activity\IManager;
|
||||
@@ -559,4 +560,24 @@ class ActivityManager {
|
||||
'board' => $board
|
||||
];
|
||||
}
|
||||
|
||||
public function canSeeCardActivity(int $cardId): bool {
|
||||
try {
|
||||
$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ);
|
||||
$card = $this->cardMapper->find($cardId);
|
||||
return $card->getDeletedAt() === 0;
|
||||
} catch (NoPermissionException $e) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
public function canSeeBoardActivity(int $boardId): bool {
|
||||
try {
|
||||
$this->permissionService->checkPermission($this->boardMapper, $boardId, Acl::PERMISSION_READ);
|
||||
$board = $this->boardMapper->find($boardId);
|
||||
return $board->getDeletedAt() === 0;
|
||||
} catch (NoPermissionException $e) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -111,6 +111,9 @@ class DeckProvider implements IProvider {
|
||||
$event->setAuthor($author);
|
||||
}
|
||||
if ($event->getObjectType() === ActivityManager::DECK_OBJECT_BOARD) {
|
||||
if (!$this->activityManager->canSeeBoardActivity($event->getObjectId())) {
|
||||
throw new \InvalidArgumentException();
|
||||
}
|
||||
if (isset($subjectParams['board']) && $event->getObjectName() === '') {
|
||||
$event->setObject($event->getObjectType(), $event->getObjectId(), $subjectParams['board']['title']);
|
||||
}
|
||||
@@ -125,6 +128,9 @@ class DeckProvider implements IProvider {
|
||||
}
|
||||
|
||||
if (isset($subjectParams['card']) && $event->getObjectType() === ActivityManager::DECK_OBJECT_CARD) {
|
||||
if (!$this->activityManager->canSeeCardActivity($event->getObjectId())) {
|
||||
throw new \InvalidArgumentException();
|
||||
}
|
||||
if ($event->getObjectName() === '') {
|
||||
$event->setObject($event->getObjectType(), $event->getObjectId(), $subjectParams['card']['title']);
|
||||
}
|
||||
|
||||
@@ -17,9 +17,9 @@ class BoardContext implements Context {
|
||||
/** @var array last card response */
|
||||
private $card = null;
|
||||
private array $storedCards = [];
|
||||
private ?array $activities = null;
|
||||
|
||||
/** @var ServerContext */
|
||||
private $serverContext;
|
||||
private ServerContext $serverContext;
|
||||
|
||||
/** @BeforeScenario */
|
||||
public function gatherContexts(BeforeScenarioScope $scope) {
|
||||
@@ -285,4 +285,23 @@ class BoardContext implements Context {
|
||||
public function deleteTheBoard() {
|
||||
$this->requestContext->sendJSONrequest('DELETE', '/index.php/apps/deck/boards/' . $this->board['id']);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* @Given /^get the activities for the last card$/
|
||||
*/
|
||||
public function getActivitiesForTheLastCard() {
|
||||
$card = $this->getLastUsedCard();
|
||||
$this->requestContext->sendOCSRequest('GET', '/apps/activity/api/v2/activity/filter?format=json&type=deck&since=0&object_type=deck_card&object_id=' . $card['id'] . '&limit=50');
|
||||
$this->activities = json_decode((string)$this->getResponse()->getBody(), true)['ocs']['data'] ?? null;
|
||||
}
|
||||
|
||||
/**
|
||||
* @Then the fetched activities should have :count entries
|
||||
*/
|
||||
public function theFetchedActivitiesShouldHaveEntries($count) {
|
||||
Assert::assertEquals($count, count($this->activities ?? []));
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
@@ -77,8 +77,13 @@ Feature: decks
|
||||
And uploads an attachment to the last used card
|
||||
And remember the last attachment as "my-attachment"
|
||||
And post a comment with content "My first comment" on the card
|
||||
When get the activities for the last card
|
||||
Then the fetched activities should have 3 entries
|
||||
And delete the card
|
||||
|
||||
When get the activities for the last card
|
||||
Then the fetched activities should have 0 entries
|
||||
|
||||
When fetching the attachment "my-attachment" for the card "deletedCard"
|
||||
Then the response should have a status code 403
|
||||
|
||||
|
||||
@@ -74,6 +74,9 @@ class DeckProviderTest extends TestCase {
|
||||
$this->config = $this->createMock(IConfig::class);
|
||||
$this->cardService = $this->createMock(CardService::class);
|
||||
$this->provider = new DeckProvider($this->urlGenerator, $this->activityManager, $this->userManager, $this->commentsManager, $this->l10nFactory, $this->config, $this->userId, $this->cardService);
|
||||
|
||||
$this->activityManager->method('canSeeCardActivity')->willReturn(true);
|
||||
$this->activityManager->method('canSeeBoardActivity')->willReturn(true);
|
||||
}
|
||||
|
||||
private function mockEvent($objectType, $objectId, $objectName, $subject, $subjectParameters = []) {
|
||||
|
||||
Reference in New Issue
Block a user