From c465d15fb22e06c48147f9b992946b38a1e8f6c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julius=20H=C3=A4rtl?= Date: Mon, 2 Sep 2024 14:32:13 +0200 Subject: [PATCH] fix: Limit label actions to labels of the cards board MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Julius Härtl --- lib/Service/CardService.php | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/lib/Service/CardService.php b/lib/Service/CardService.php index 1c5e91aa3..078a92507 100644 --- a/lib/Service/CardService.php +++ b/lib/Service/CardService.php @@ -600,8 +600,9 @@ class CardService { public function assignLabel($cardId, $labelId) { $this->cardServiceValidator->check(compact('cardId', 'labelId')); - $this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_EDIT); + $this->permissionService->checkPermission($this->labelMapper, $labelId, Acl::PERMISSION_READ); + if ($this->boardService->isArchived($this->cardMapper, $cardId)) { throw new StatusException('Operation not allowed. This board is archived.'); } @@ -610,6 +611,9 @@ class CardService { throw new StatusException('Operation not allowed. This card is archived.'); } $label = $this->labelMapper->find($labelId); + if ($label->getBoardId() !== $this->cardMapper->findBoardId($card->getId())) { + throw new StatusException('Operation not allowed. Label does not exist.'); + } $this->cardMapper->assignLabel($cardId, $labelId); $this->changeHelper->cardChanged($cardId); $this->activityManager->triggerEvent(ActivityManager::DECK_OBJECT_CARD, $card, ActivityManager::SUBJECT_LABEL_ASSIGN, ['label' => $label]); @@ -631,6 +635,8 @@ class CardService { $this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_EDIT); + $this->permissionService->checkPermission($this->labelMapper, $labelId, Acl::PERMISSION_READ); + if ($this->boardService->isArchived($this->cardMapper, $cardId)) { throw new StatusException('Operation not allowed. This board is archived.'); } @@ -639,6 +645,9 @@ class CardService { throw new StatusException('Operation not allowed. This card is archived.'); } $label = $this->labelMapper->find($labelId); + if ($label->getBoardId() !== $this->cardMapper->findBoardId($card->getId())) { + throw new StatusException('Operation not allowed. Label does not exist.'); + } $this->cardMapper->removeLabel($cardId, $labelId); $this->changeHelper->cardChanged($cardId); $this->activityManager->triggerEvent(ActivityManager::DECK_OBJECT_CARD, $card, ActivityManager::SUBJECT_LABEL_UNASSING, ['label' => $label]);