From aa5fb57cb4dbd6ef4833d95fea7fa15e8be63ffe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julius=20H=C3=A4rtl?= <jus@bitgrid.net>
Date: Wed, 3 Jan 2024 15:32:40 +0100
Subject: [PATCH] fix: Consider a deleted board inaccessible to share
 recipients
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Only the owner can delete/undo a board deletion so there is no reason
other users should have any permission on a board marked as deleted

Signed-off-by: Julius Härtl <jus@bitgrid.net>
---
 lib/Service/PermissionService.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/Service/PermissionService.php b/lib/Service/PermissionService.php
index 18f112d2d..4dfc37f18 100644
--- a/lib/Service/PermissionService.php
+++ b/lib/Service/PermissionService.php
@@ -107,8 +107,9 @@ class PermissionService {
 			return $cached;
 		}
 
+		$board = $this->getBoard($boardId);
 		$owner = $this->userIsBoardOwner($boardId, $userId);
-		$acls = $this->aclMapper->findAll($boardId);
+		$acls = $board->getDeletedAt() === 0 ? $this->aclMapper->findAll($boardId) : [];
 		$permissions = [
 			Acl::PERMISSION_READ => $owner || $this->userCan($acls, Acl::PERMISSION_READ, $userId),
 			Acl::PERMISSION_EDIT => $owner || $this->userCan($acls, Acl::PERMISSION_EDIT, $userId),