ahtlon/deck
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

fix: limit to non-deleted cards

Browse Source 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
This commit is contained in:
Julius Härtl
2024-01-04 10:53:11 +01:00
parent 71948d670e
commit aef06d833d
4 changed files with 18 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/Service/BoardService.php
View File

@@ -471,7 +471,7 @@ class BoardService {
$newAcl = $this->aclMapper->insert($acl); $newAcl = $this->aclMapper->insert($acl);
$this->activityManager->triggerEvent(ActivityManager::DECK_OBJECT_BOARD, $newAcl, ActivityManager::SUBJECT_BOARD_SHARE, [], $this->userId); $this->activityManager->triggerEvent(ActivityManager::DECK_OBJECT_BOARD, $newAcl, ActivityManager::SUBJECT_BOARD_SHARE, [], $this->userId);
$this->notificationHelper->sendBoardShared((int)$boardId, $acl); $this->notificationHelper->sendBoardShared($boardId, $acl);
$this->boardMapper->mapAcl($newAcl); $this->boardMapper->mapAcl($newAcl);
$this->changeHelper->boardChanged($boardId); $this->changeHelper->boardChanged($boardId);

9
lib/Service/CommentService.php
View File

@@ -90,17 +90,14 @@ class CommentService {
* @throws BadRequestException * @throws BadRequestException
* @throws NotFoundException|NoPermissionException * @throws NotFoundException|NoPermissionException
*/ */
public function create(string $cardId, string $message, string $replyTo = '0'): DataResponse { public function create(int $cardId, string $message, string $replyTo = '0'): DataResponse {
if (!is_numeric($cardId)) {
throw new BadRequestException('A valid card id must be provided');
}
$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ); $this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ);
// Check if parent is a comment on the same card // Check if parent is a comment on the same card
if ($replyTo !== '0') { if ($replyTo !== '0') {
try { try {
$comment = $this->commentsManager->get($replyTo); $comment = $this->commentsManager->get($replyTo);
if ($comment->getObjectType() !== Application::COMMENT_ENTITY_TYPE || $comment->getObjectId() !== $cardId) { if ($comment->getObjectType() !== Application::COMMENT_ENTITY_TYPE || (int)$comment->getObjectId() !== $cardId) {
throw new CommentNotFoundException(); throw new CommentNotFoundException();
} }
} catch (CommentNotFoundException $e) { } catch (CommentNotFoundException $e) {
@@ -109,7 +106,7 @@ class CommentService {
} }
try { try {
$comment = $this->commentsManager->create('users', $this->userId, Application::COMMENT_ENTITY_TYPE, $cardId); $comment = $this->commentsManager->create('users', $this->userId, Application::COMMENT_ENTITY_TYPE, (string)$cardId);
$comment->setMessage($message); $comment->setMessage($message);
$comment->setVerb('comment'); $comment->setVerb('comment');
$comment->setParentId($replyTo); $comment->setParentId($replyTo);

19
lib/Service/PermissionService.php
View File

@@ -29,6 +29,7 @@ use OCA\Deck\Db\Acl;
use OCA\Deck\Db\AclMapper; use OCA\Deck\Db\AclMapper;
use OCA\Deck\Db\Board; use OCA\Deck\Db\Board;
use OCA\Deck\Db\BoardMapper; use OCA\Deck\Db\BoardMapper;
use OCA\Deck\Db\CardMapper;
use OCA\Deck\Db\IPermissionMapper; use OCA\Deck\Db\IPermissionMapper;
use OCA\Deck\Db\User; use OCA\Deck\Db\User;
use OCA\Deck\NoPermissionException; use OCA\Deck\NoPermissionException;
@@ -138,13 +139,10 @@ class PermissionService {
/** /**
* check permissions for replacing dark magic middleware * check permissions for replacing dark magic middleware
* *
* @param $mapper IPermissionMapper|null null if $id is a boardId * @param numeric $id
* @param $id int unique identifier of the Entity
* @param $permission int
* @return bool
* @throws NoPermissionException * @throws NoPermissionException
*/ */
public function checkPermission($mapper, $id, $permission, $userId = null) { public function checkPermission($mapper, $id, $permission, $userId = null, bool $allowDeletedCard = false) {
$boardId = $id; $boardId = $id;
if ($mapper instanceof IPermissionMapper && !($mapper instanceof BoardMapper)) { if ($mapper instanceof IPermissionMapper && !($mapper instanceof BoardMapper)) {
$boardId = $mapper->findBoardId($id); $boardId = $mapper->findBoardId($id);
@@ -158,7 +156,16 @@ class PermissionService {
throw new NoPermissionException('Permission denied'); throw new NoPermissionException('Permission denied');
} }
if ($this->userIsBoardOwner($boardId, $userId)) { $permissions = $this->getPermissions($boardId, $userId);
if ($permissions[$permission] === true) {
if (!$allowDeletedCard && $mapper instanceof CardMapper) {
$card = $mapper->find($id);
if ($card->getDeletedAt() > 0) {
throw new NoPermissionException('Card is deleted');
}
}
return true; return true;
} }

2
lib/Sharing/ShareAPIHelper.php
View File

@@ -115,7 +115,7 @@ class ShareAPIHelper {
*/ */
public function canAccessShare(IShare $share, string $user): bool { public function canAccessShare(IShare $share, string $user): bool {
try { try {
$this->permissionService->checkPermission($this->cardMapper, $share->getSharedWith(), Acl::PERMISSION_READ, $user); $this->permissionService->checkPermission($this->cardMapper, (int)$share->getSharedWith(), Acl::PERMISSION_READ, $user);
} catch (NoPermissionException $e) { } catch (NoPermissionException $e) {
return false; return false;
} }