From 6fa7295b420dc7fececcbc0352ba07e685982024 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julius=20H=C3=A4rtl?= <jus@bitgrid.net>
Date: Thu, 19 Dec 2019 20:26:19 +0100
Subject: [PATCH] Limit card assignment to users who are participants of the
 board
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Julius Härtl <jus@bitgrid.net>
---
 docs/API.md                 | 27 +++++++++++++++++++++++++++
 lib/Service/CardService.php |  9 ++++++++-
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/docs/API.md b/docs/API.md
index be877cd66..3ce5b9a15 100644
--- a/docs/API.md
+++ b/docs/API.md
@@ -651,6 +651,33 @@ The board list endpoint supports setting an `If-Modified-Since` header to limit
 
 ##### 200 Success
 
+```json
+{
+  "id": 3,
+  "participant": {
+    "primaryKey": "admin",
+    "uid": "admin",
+    "displayname": "admin"
+  },
+  "cardId": 1
+}
+```
+
+##### 400 Bad request
+
+```json
+{
+  "status": 400,
+  "message": "The user is already assigned to the card"
+}
+```
+
+The request can fail with a bad request response for the following reasons:
+- Missing or wrongly formatted request parameters
+- The user is already assigned to the card
+- The user is not part of the board
+
+
 ### PUT /boards/{boardId}/stacks/{stackId}/cards/{cardId}/unassignUser - Assign a user to a card
 
 #### Request parameters
diff --git a/lib/Service/CardService.php b/lib/Service/CardService.php
index 12b9d125e..44a3923ae 100644
--- a/lib/Service/CardService.php
+++ b/lib/Service/CardService.php
@@ -588,10 +588,17 @@ class CardService {
 		$assignments = $this->assignedUsersMapper->find($cardId);
 		foreach ($assignments as $assignment) {
 			if ($assignment->getParticipant() === $userId) {
-				return false;
+				throw new BadRequestException('The user is already assigned to the card');
 			}
 		}
+
 		$card = $this->cardMapper->find($cardId);
+		$boardId = $this->cardMapper->findBoardId($cardId);
+		$boardUsers = array_keys($this->permissionService->findUsers($boardId));
+		if (!in_array($userId, $boardUsers)) {
+			throw new BadRequestException('The user is not part of the board');
+		}
+
 
 		if ($userId !== $this->currentUser) {
 			/* Notifyuser about the card assignment */