ahtlon/deck
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Comments are available to all users of a board though webdav, but at least check for read permission to the board

Browse Source 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
This commit is contained in:
Julius Härtl
2020-03-10 12:13:32 +01:00
parent 08310406a1
commit 7e4b42a223
1 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
lib/Service/CommentService.php
View File

@@ -26,6 +26,8 @@ namespace OCA\Deck\Service;
use OCA\Deck\AppInfo\Application; use OCA\Deck\AppInfo\Application;
use OCA\Deck\BadRequestException; use OCA\Deck\BadRequestException;
use OCA\Deck\Db\Acl;
use OCA\Deck\Db\CardMapper;
use OCA\Deck\NoPermissionException; use OCA\Deck\NoPermissionException;
use OCA\Deck\NotFoundException; use OCA\Deck\NotFoundException;
use OCA\Deck\StatusException; use OCA\Deck\StatusException;
@@ -54,8 +56,10 @@ class CommentService {
private $logger; private $logger;
private $userId; private $userId;
public function __construct(ICommentsManager $commentsManager, IUserManager $userManager, ILogger $logger, $userId) { public function __construct(ICommentsManager $commentsManager, PermissionService $permissionService, CardMapper $cardMapper, IUserManager $userManager, ILogger $logger, $userId) {
$this->commentsManager = $commentsManager; $this->commentsManager = $commentsManager;
$this->permissionService = $permissionService;
$this->cardMapper = $cardMapper;
$this->userManager = $userManager; $this->userManager = $userManager;
$this->logger = $logger; $this->logger = $logger;
$this->userId = $userId; $this->userId = $userId;
@@ -65,6 +69,7 @@ class CommentService {
if (!is_numeric($cardId)) { if (!is_numeric($cardId)) {
throw new BadRequestException('A valid card id must be provided'); throw new BadRequestException('A valid card id must be provided');
} }
$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ);
$comments = $this->commentsManager->getForObject(Application::COMMENT_ENTITY_TYPE, $cardId, $limit, $offset); $comments = $this->commentsManager->getForObject(Application::COMMENT_ENTITY_TYPE, $cardId, $limit, $offset);
$result = []; $result = [];
foreach ($comments as $comment) { foreach ($comments as $comment) {
@@ -92,6 +97,7 @@ class CommentService {
if (!is_numeric($cardId)) { if (!is_numeric($cardId)) {
throw new BadRequestException('A valid card id must be provided'); throw new BadRequestException('A valid card id must be provided');
} }
$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ);
try { try {
$comment = $this->commentsManager->create('users', $this->userId, Application::COMMENT_ENTITY_TYPE, $cardId); $comment = $this->commentsManager->create('users', $this->userId, Application::COMMENT_ENTITY_TYPE, $cardId);
$comment->setMessage($message); $comment->setMessage($message);
@@ -116,8 +122,10 @@ class CommentService {
if (!is_numeric($commentId)) { if (!is_numeric($commentId)) {
throw new BadRequestException('A valid comment id must be provided'); throw new BadRequestException('A valid comment id must be provided');
} }
$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ);
try { try {
$comment = $this->commentsManager->get($commentId); $comment = $this->commentsManager->get($commentId);
} catch (CommentNotFoundException $e) { } catch (CommentNotFoundException $e) {
throw new NotFoundException('No comment found.'); throw new NotFoundException('No comment found.');
} }
@@ -136,6 +144,16 @@ class CommentService {
if (!is_numeric($commentId)) { if (!is_numeric($commentId)) {
throw new BadRequestException('A valid comment id must be provided'); throw new BadRequestException('A valid comment id must be provided');
} }
$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ);
try {
$comment = $this->commentsManager->get($commentId);
} catch (CommentNotFoundException $e) {
throw new NotFoundException('No comment found.');
}
if ($comment->getActorType() !== 'users' || $comment->getActorId() !== $this->userId) {
throw new NoPermissionException('Only authors are allowed to edit their comment.');
}
$this->commentsManager->delete($commentId); $this->commentsManager->delete($commentId);
return new DataResponse([]); return new DataResponse([]);
} }