fix: limit to non-deleted cards
Signed-off-by: Julius Härtl <jus@bitgrid.net>
This commit is contained in:
Julius Härtl
@@ -36,6 +36,8 @@ use Sabre\VObject\Component\VCalendar;
|
|||||||
* @method int getLastModified()
|
* @method int getLastModified()
|
||||||
* @method int getCreatedAt()
|
* @method int getCreatedAt()
|
||||||
* @method bool getArchived()
|
* @method bool getArchived()
|
||||||
|
* @method int getDeletedAt()
|
||||||
|
* @method void setDeletedAt(int $deletedAt)
|
||||||
* @method bool getNotified()
|
* @method bool getNotified()
|
||||||
*
|
*
|
||||||
* @method void setLabels(Label[] $labels)
|
* @method void setLabels(Label[] $labels)
|
||||||
|
|||||||
@@ -446,7 +446,7 @@ class BoardService {
|
|||||||
$newAcl = $this->aclMapper->insert($acl);
|
$newAcl = $this->aclMapper->insert($acl);
|
||||||
|
|
||||||
$this->activityManager->triggerEvent(ActivityManager::DECK_OBJECT_BOARD, $newAcl, ActivityManager::SUBJECT_BOARD_SHARE, [], $this->userId);
|
$this->activityManager->triggerEvent(ActivityManager::DECK_OBJECT_BOARD, $newAcl, ActivityManager::SUBJECT_BOARD_SHARE, [], $this->userId);
|
||||||
$this->notificationHelper->sendBoardShared((int)$boardId, $acl);
|
$this->notificationHelper->sendBoardShared($boardId, $acl);
|
||||||
$this->boardMapper->mapAcl($newAcl);
|
$this->boardMapper->mapAcl($newAcl);
|
||||||
$this->changeHelper->boardChanged($boardId);
|
$this->changeHelper->boardChanged($boardId);
|
||||||
|
|
||||||
|
|||||||
@@ -94,7 +94,7 @@ class CommentService {
|
|||||||
throw new NotFoundException('No comment found.');
|
throw new NotFoundException('No comment found.');
|
||||||
}
|
}
|
||||||
if ($comment->getParentId() !== '0') {
|
if ($comment->getParentId() !== '0') {
|
||||||
$this->permissionService->checkPermission($this->cardMapper, $comment->getParentId(), Acl::PERMISSION_READ);
|
$this->permissionService->checkPermission($this->cardMapper, (int)$comment->getParentId(), Acl::PERMISSION_READ);
|
||||||
}
|
}
|
||||||
|
|
||||||
return $comment;
|
return $comment;
|
||||||
@@ -113,24 +113,17 @@ class CommentService {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param string $cardId
|
|
||||||
* @param string $message
|
|
||||||
* @param string $replyTo
|
|
||||||
* @return DataResponse
|
|
||||||
* @throws BadRequestException
|
* @throws BadRequestException
|
||||||
* @throws NotFoundException|NoPermissionException
|
* @throws NotFoundException|NoPermissionException
|
||||||
*/
|
*/
|
||||||
public function create(string $cardId, string $message, string $replyTo = '0'): DataResponse {
|
public function create(int $cardId, string $message, string $replyTo = '0'): DataResponse {
|
||||||
if (!is_numeric($cardId)) {
|
|
||||||
throw new BadRequestException('A valid card id must be provided');
|
|
||||||
}
|
|
||||||
$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ);
|
$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ);
|
||||||
|
|
||||||
// Check if parent is a comment on the same card
|
// Check if parent is a comment on the same card
|
||||||
if ($replyTo !== '0') {
|
if ($replyTo !== '0') {
|
||||||
try {
|
try {
|
||||||
$comment = $this->commentsManager->get($replyTo);
|
$comment = $this->commentsManager->get($replyTo);
|
||||||
if ($comment->getObjectType() !== Application::COMMENT_ENTITY_TYPE || $comment->getObjectId() !== $cardId) {
|
if ($comment->getObjectType() !== Application::COMMENT_ENTITY_TYPE || (int)$comment->getObjectId() !== $cardId) {
|
||||||
throw new CommentNotFoundException();
|
throw new CommentNotFoundException();
|
||||||
}
|
}
|
||||||
} catch (CommentNotFoundException $e) {
|
} catch (CommentNotFoundException $e) {
|
||||||
@@ -139,7 +132,7 @@ class CommentService {
|
|||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
$comment = $this->commentsManager->create('users', $this->userId, Application::COMMENT_ENTITY_TYPE, $cardId);
|
$comment = $this->commentsManager->create('users', $this->userId, Application::COMMENT_ENTITY_TYPE, (string)$cardId);
|
||||||
$comment->setMessage($message);
|
$comment->setMessage($message);
|
||||||
$comment->setVerb('comment');
|
$comment->setVerb('comment');
|
||||||
$comment->setParentId($replyTo);
|
$comment->setParentId($replyTo);
|
||||||
|
|||||||
@@ -29,6 +29,7 @@ use OCA\Deck\Db\Acl;
|
|||||||
use OCA\Deck\Db\AclMapper;
|
use OCA\Deck\Db\AclMapper;
|
||||||
use OCA\Deck\Db\Board;
|
use OCA\Deck\Db\Board;
|
||||||
use OCA\Deck\Db\BoardMapper;
|
use OCA\Deck\Db\BoardMapper;
|
||||||
|
use OCA\Deck\Db\CardMapper;
|
||||||
use OCA\Deck\Db\IPermissionMapper;
|
use OCA\Deck\Db\IPermissionMapper;
|
||||||
use OCA\Deck\Db\User;
|
use OCA\Deck\Db\User;
|
||||||
use OCA\Deck\NoPermissionException;
|
use OCA\Deck\NoPermissionException;
|
||||||
@@ -143,13 +144,10 @@ class PermissionService {
|
|||||||
/**
|
/**
|
||||||
* check permissions for replacing dark magic middleware
|
* check permissions for replacing dark magic middleware
|
||||||
*
|
*
|
||||||
* @param $mapper IPermissionMapper|null null if $id is a boardId
|
* @param numeric $id
|
||||||
* @param $id int unique identifier of the Entity
|
|
||||||
* @param $permission int
|
|
||||||
* @return bool
|
|
||||||
* @throws NoPermissionException
|
* @throws NoPermissionException
|
||||||
*/
|
*/
|
||||||
public function checkPermission($mapper, $id, $permission, $userId = null): bool {
|
public function checkPermission(?IPermissionMapper $mapper, $id, int $permission, $userId = null, bool $allowDeletedCard = false): bool {
|
||||||
$boardId = $id;
|
$boardId = $id;
|
||||||
if ($mapper instanceof IPermissionMapper && !($mapper instanceof BoardMapper)) {
|
if ($mapper instanceof IPermissionMapper && !($mapper instanceof BoardMapper)) {
|
||||||
$boardId = $mapper->findBoardId($id);
|
$boardId = $mapper->findBoardId($id);
|
||||||
@@ -161,6 +159,14 @@ class PermissionService {
|
|||||||
|
|
||||||
$permissions = $this->getPermissions($boardId, $userId);
|
$permissions = $this->getPermissions($boardId, $userId);
|
||||||
if ($permissions[$permission] === true) {
|
if ($permissions[$permission] === true) {
|
||||||
|
|
||||||
|
if (!$allowDeletedCard && $mapper instanceof CardMapper) {
|
||||||
|
$card = $mapper->find($id);
|
||||||
|
if ($card->getDeletedAt() > 0) {
|
||||||
|
throw new NoPermissionException('Card is deleted');
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -115,7 +115,7 @@ class ShareAPIHelper {
|
|||||||
*/
|
*/
|
||||||
public function canAccessShare(IShare $share, string $user): bool {
|
public function canAccessShare(IShare $share, string $user): bool {
|
||||||
try {
|
try {
|
||||||
$this->permissionService->checkPermission($this->cardMapper, $share->getSharedWith(), Acl::PERMISSION_READ, $user);
|
$this->permissionService->checkPermission($this->cardMapper, (int)$share->getSharedWith(), Acl::PERMISSION_READ, $user);
|
||||||
} catch (NoPermissionException $e) {
|
} catch (NoPermissionException $e) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user