From 7e4b42a2235d653a3e6a028b7c6b2d0ae4a91440 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julius=20H=C3=A4rtl?= Date: Tue, 10 Mar 2020 12:13:32 +0100 Subject: [PATCH] Comments are available to all users of a board though webdav, but at least check for read permission to the board MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Julius Härtl --- lib/Service/CommentService.php | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/lib/Service/CommentService.php b/lib/Service/CommentService.php index b492f99a7..554108f67 100644 --- a/lib/Service/CommentService.php +++ b/lib/Service/CommentService.php @@ -26,6 +26,8 @@ namespace OCA\Deck\Service; use OCA\Deck\AppInfo\Application; use OCA\Deck\BadRequestException; +use OCA\Deck\Db\Acl; +use OCA\Deck\Db\CardMapper; use OCA\Deck\NoPermissionException; use OCA\Deck\NotFoundException; use OCA\Deck\StatusException; @@ -54,8 +56,10 @@ class CommentService { private $logger; private $userId; - public function __construct(ICommentsManager $commentsManager, IUserManager $userManager, ILogger $logger, $userId) { + public function __construct(ICommentsManager $commentsManager, PermissionService $permissionService, CardMapper $cardMapper, IUserManager $userManager, ILogger $logger, $userId) { $this->commentsManager = $commentsManager; + $this->permissionService = $permissionService; + $this->cardMapper = $cardMapper; $this->userManager = $userManager; $this->logger = $logger; $this->userId = $userId; @@ -65,6 +69,7 @@ class CommentService { if (!is_numeric($cardId)) { throw new BadRequestException('A valid card id must be provided'); } + $this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ); $comments = $this->commentsManager->getForObject(Application::COMMENT_ENTITY_TYPE, $cardId, $limit, $offset); $result = []; foreach ($comments as $comment) { @@ -92,6 +97,7 @@ class CommentService { if (!is_numeric($cardId)) { throw new BadRequestException('A valid card id must be provided'); } + $this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ); try { $comment = $this->commentsManager->create('users', $this->userId, Application::COMMENT_ENTITY_TYPE, $cardId); $comment->setMessage($message); @@ -116,8 +122,10 @@ class CommentService { if (!is_numeric($commentId)) { throw new BadRequestException('A valid comment id must be provided'); } + $this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ); try { $comment = $this->commentsManager->get($commentId); + } catch (CommentNotFoundException $e) { throw new NotFoundException('No comment found.'); } @@ -136,6 +144,16 @@ class CommentService { if (!is_numeric($commentId)) { throw new BadRequestException('A valid comment id must be provided'); } + $this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ); + try { + $comment = $this->commentsManager->get($commentId); + + } catch (CommentNotFoundException $e) { + throw new NotFoundException('No comment found.'); + } + if ($comment->getActorType() !== 'users' || $comment->getActorId() !== $this->userId) { + throw new NoPermissionException('Only authors are allowed to edit their comment.'); + } $this->commentsManager->delete($commentId); return new DataResponse([]); }