From 912f9ab2362a4da40386a657df547ed88d9713bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julius=20H=C3=A4rtl?= <jus@bitgrid.net>
Date: Fri, 7 Feb 2020 16:51:24 +0100
Subject: [PATCH] Check for board membership on comments entity event
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Julius Härtl <jus@bitgrid.net>
---
 lib/AppInfo/Application.php | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/lib/AppInfo/Application.php b/lib/AppInfo/Application.php
index 5463e26ed..a8abe3dc9 100644
--- a/lib/AppInfo/Application.php
+++ b/lib/AppInfo/Application.php
@@ -33,6 +33,7 @@ use OCA\Deck\Db\CardMapper;
 use OCA\Deck\Middleware\ExceptionMiddleware;
 use OCA\Deck\Notification\Notifier;
 use OCA\Deck\Service\FullTextSearchService;
+use OCA\Deck\Service\PermissionService;
 use OCP\AppFramework\App;
 use OCP\Collaboration\Resources\IManager;
 use OCP\Comments\CommentsEntityEvent;
@@ -156,13 +157,14 @@ class Application extends App {
 		$this->getContainer()->getServer()->getEventDispatcher()->addListener(CommentsEntityEvent::EVENT_ENTITY, function(CommentsEntityEvent $event) {
 			$event->addEntityCollection('deckCard', function($name) {
 				/** @var CardMapper */
-				$service = $this->getContainer()->query(CardMapper::class);
+				$cardMapper = $this->getContainer()->query(CardMapper::class);
+				$permissionService = $this->getContainer()->query(PermissionService::class);
+
 				try {
-					$service->find((int) $name);
-				} catch (\InvalidArgumentException $e) {
+					return $permissionService->checkPermission($cardMapper, (int) $name, Acl::PERMISSION_READ);
+				} catch (\Exception $e) {
 					return false;
 				}
-				return true;
 			});
 		});
 		$this->registerCommentsEventHandler();