fix: limit to non-deleted cards
Signed-off-by: Julius Härtl <jus@bitgrid.net>
This commit is contained in:
Julius Härtl
@@ -36,6 +36,8 @@ use Sabre\VObject\Component\VCalendar;
|
||||
* @method int getLastModified()
|
||||
* @method int getCreatedAt()
|
||||
* @method bool getArchived()
|
||||
* @method int getDeletedAt()
|
||||
* @method void setDeletedAt(int $deletedAt)
|
||||
* @method bool getNotified()
|
||||
*
|
||||
* @method void setLabels(Label[] $labels)
|
||||
|
||||
@@ -446,7 +446,7 @@ class BoardService {
|
||||
$newAcl = $this->aclMapper->insert($acl);
|
||||
|
||||
$this->activityManager->triggerEvent(ActivityManager::DECK_OBJECT_BOARD, $newAcl, ActivityManager::SUBJECT_BOARD_SHARE, [], $this->userId);
|
||||
$this->notificationHelper->sendBoardShared((int)$boardId, $acl);
|
||||
$this->notificationHelper->sendBoardShared($boardId, $acl);
|
||||
$this->boardMapper->mapAcl($newAcl);
|
||||
$this->changeHelper->boardChanged($boardId);
|
||||
|
||||
|
||||
@@ -94,7 +94,7 @@ class CommentService {
|
||||
throw new NotFoundException('No comment found.');
|
||||
}
|
||||
if ($comment->getParentId() !== '0') {
|
||||
$this->permissionService->checkPermission($this->cardMapper, $comment->getParentId(), Acl::PERMISSION_READ);
|
||||
$this->permissionService->checkPermission($this->cardMapper, (int)$comment->getParentId(), Acl::PERMISSION_READ);
|
||||
}
|
||||
|
||||
return $comment;
|
||||
@@ -113,24 +113,17 @@ class CommentService {
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $cardId
|
||||
* @param string $message
|
||||
* @param string $replyTo
|
||||
* @return DataResponse
|
||||
* @throws BadRequestException
|
||||
* @throws NotFoundException|NoPermissionException
|
||||
*/
|
||||
public function create(string $cardId, string $message, string $replyTo = '0'): DataResponse {
|
||||
if (!is_numeric($cardId)) {
|
||||
throw new BadRequestException('A valid card id must be provided');
|
||||
}
|
||||
public function create(int $cardId, string $message, string $replyTo = '0'): DataResponse {
|
||||
$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ);
|
||||
|
||||
// Check if parent is a comment on the same card
|
||||
if ($replyTo !== '0') {
|
||||
try {
|
||||
$comment = $this->commentsManager->get($replyTo);
|
||||
if ($comment->getObjectType() !== Application::COMMENT_ENTITY_TYPE || $comment->getObjectId() !== $cardId) {
|
||||
if ($comment->getObjectType() !== Application::COMMENT_ENTITY_TYPE || (int)$comment->getObjectId() !== $cardId) {
|
||||
throw new CommentNotFoundException();
|
||||
}
|
||||
} catch (CommentNotFoundException $e) {
|
||||
@@ -139,7 +132,7 @@ class CommentService {
|
||||
}
|
||||
|
||||
try {
|
||||
$comment = $this->commentsManager->create('users', $this->userId, Application::COMMENT_ENTITY_TYPE, $cardId);
|
||||
$comment = $this->commentsManager->create('users', $this->userId, Application::COMMENT_ENTITY_TYPE, (string)$cardId);
|
||||
$comment->setMessage($message);
|
||||
$comment->setVerb('comment');
|
||||
$comment->setParentId($replyTo);
|
||||
|
||||
@@ -29,6 +29,7 @@ use OCA\Deck\Db\Acl;
|
||||
use OCA\Deck\Db\AclMapper;
|
||||
use OCA\Deck\Db\Board;
|
||||
use OCA\Deck\Db\BoardMapper;
|
||||
use OCA\Deck\Db\CardMapper;
|
||||
use OCA\Deck\Db\IPermissionMapper;
|
||||
use OCA\Deck\Db\User;
|
||||
use OCA\Deck\NoPermissionException;
|
||||
@@ -143,13 +144,10 @@ class PermissionService {
|
||||
/**
|
||||
* check permissions for replacing dark magic middleware
|
||||
*
|
||||
* @param $mapper IPermissionMapper|null null if $id is a boardId
|
||||
* @param $id int unique identifier of the Entity
|
||||
* @param $permission int
|
||||
* @return bool
|
||||
* @param numeric $id
|
||||
* @throws NoPermissionException
|
||||
*/
|
||||
public function checkPermission($mapper, $id, $permission, $userId = null): bool {
|
||||
public function checkPermission(?IPermissionMapper $mapper, $id, int $permission, $userId = null, bool $allowDeletedCard = false): bool {
|
||||
$boardId = $id;
|
||||
if ($mapper instanceof IPermissionMapper && !($mapper instanceof BoardMapper)) {
|
||||
$boardId = $mapper->findBoardId($id);
|
||||
@@ -161,6 +159,14 @@ class PermissionService {
|
||||
|
||||
$permissions = $this->getPermissions($boardId, $userId);
|
||||
if ($permissions[$permission] === true) {
|
||||
|
||||
if (!$allowDeletedCard && $mapper instanceof CardMapper) {
|
||||
$card = $mapper->find($id);
|
||||
if ($card->getDeletedAt() > 0) {
|
||||
throw new NoPermissionException('Card is deleted');
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
@@ -115,7 +115,7 @@ class ShareAPIHelper {
|
||||
*/
|
||||
public function canAccessShare(IShare $share, string $user): bool {
|
||||
try {
|
||||
$this->permissionService->checkPermission($this->cardMapper, $share->getSharedWith(), Acl::PERMISSION_READ, $user);
|
||||
$this->permissionService->checkPermission($this->cardMapper, (int)$share->getSharedWith(), Acl::PERMISSION_READ, $user);
|
||||
} catch (NoPermissionException $e) {
|
||||
return false;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user