ahtlon/deck
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

fix: Further limit updating cards

Browse Source 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
This commit is contained in:
Julius Härtl
2024-01-04 14:01:24 +01:00
parent e75ff1c1a0
commit aa7430bde9
3 changed files with 8 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
lib/Service/CardService.php
View File

@@ -267,7 +267,7 @@ class CardService {
public function update($id, $title, $stackId, $type, $owner, $description = '', $order = 0, $duedate = null, $deletedAt = null, $archived = null) {
$this->cardServiceValidator->check(compact('id', 'title', 'stackId', 'type', 'owner', 'order'));
$this->permissionService->checkPermission($this->cardMapper, $id, Acl::PERMISSION_EDIT);
$this->permissionService->checkPermission($this->cardMapper, $id, Acl::PERMISSION_EDIT, allowDeletedCard: true);
$this->permissionService->checkPermission($this->stackMapper, $stackId, Acl::PERMISSION_EDIT);
if ($this->boardService->isArchived($this->cardMapper, $id)) {
@@ -279,9 +279,9 @@ class CardService {
}
if ($card->getDeletedAt() !== 0) {
if ($deletedAt === null) {
if ($deletedAt === null || $deletedAt > 0) {
// Only allow operations when restoring the card
throw new StatusException('Operation not allowed. This card was deleted.');
throw new NoPermissionException('Operation not allowed. This card was deleted.');
}
}

1
tests/integration/features/bootstrap/BoardContext.php
View File

@@ -276,6 +276,7 @@ class BoardContext implements Context {
*/
public function deleteTheCard() {
$this->requestContext->sendJSONrequest('DELETE', '/index.php/apps/deck/cards/' . $this->card['id']);
$this->card['deletedAt'] = time();
}
/**

8
tests/integration/features/decks.feature
View File

@@ -100,7 +100,7 @@ Feature: decks
# We currently still expect to be able to update the card as this is used to undo deletion
When set the description to "Update some text"
Then the response should have a status code 403
#When set the card attribute "deletedAt" to "0"
#Then the response should have a status code 200
#When set the description to "Update some text"
#Then the response should have a status code 200
When set the card attribute "deletedAt" to "0"
Then the response should have a status code 200
When set the description to "Update some text"
Then the response should have a status code 200