ahtlon/deck
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

fix: Limit label actions to labels of the cards board

Browse Source 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
This commit is contained in:
Julius Härtl
2024-09-02 14:32:13 +02:00
committed by backportbot[bot]
parent 07d4184d47
commit c465d15fb2
1 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
lib/Service/CardService.php
View File

@@ -600,8 +600,9 @@ class CardService {
public function assignLabel($cardId, $labelId) { public function assignLabel($cardId, $labelId) {
$this->cardServiceValidator->check(compact('cardId', 'labelId')); $this->cardServiceValidator->check(compact('cardId', 'labelId'));
$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_EDIT); $this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_EDIT);
$this->permissionService->checkPermission($this->labelMapper, $labelId, Acl::PERMISSION_READ);
if ($this->boardService->isArchived($this->cardMapper, $cardId)) { if ($this->boardService->isArchived($this->cardMapper, $cardId)) {
throw new StatusException('Operation not allowed. This board is archived.'); throw new StatusException('Operation not allowed. This board is archived.');
} }
@@ -610,6 +611,9 @@ class CardService {
throw new StatusException('Operation not allowed. This card is archived.'); throw new StatusException('Operation not allowed. This card is archived.');
} }
$label = $this->labelMapper->find($labelId); $label = $this->labelMapper->find($labelId);
if ($label->getBoardId() !== $this->cardMapper->findBoardId($card->getId())) {
throw new StatusException('Operation not allowed. Label does not exist.');
}
$this->cardMapper->assignLabel($cardId, $labelId); $this->cardMapper->assignLabel($cardId, $labelId);
$this->changeHelper->cardChanged($cardId); $this->changeHelper->cardChanged($cardId);
$this->activityManager->triggerEvent(ActivityManager::DECK_OBJECT_CARD, $card, ActivityManager::SUBJECT_LABEL_ASSIGN, ['label' => $label]); $this->activityManager->triggerEvent(ActivityManager::DECK_OBJECT_CARD, $card, ActivityManager::SUBJECT_LABEL_ASSIGN, ['label' => $label]);
@@ -631,6 +635,8 @@ class CardService {
$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_EDIT); $this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_EDIT);
$this->permissionService->checkPermission($this->labelMapper, $labelId, Acl::PERMISSION_READ);
if ($this->boardService->isArchived($this->cardMapper, $cardId)) { if ($this->boardService->isArchived($this->cardMapper, $cardId)) {
throw new StatusException('Operation not allowed. This board is archived.'); throw new StatusException('Operation not allowed. This board is archived.');
} }
@@ -639,6 +645,9 @@ class CardService {
throw new StatusException('Operation not allowed. This card is archived.'); throw new StatusException('Operation not allowed. This card is archived.');
} }
$label = $this->labelMapper->find($labelId); $label = $this->labelMapper->find($labelId);
if ($label->getBoardId() !== $this->cardMapper->findBoardId($card->getId())) {
throw new StatusException('Operation not allowed. Label does not exist.');
}
$this->cardMapper->removeLabel($cardId, $labelId); $this->cardMapper->removeLabel($cardId, $labelId);
$this->changeHelper->cardChanged($cardId); $this->changeHelper->cardChanged($cardId);
$this->activityManager->triggerEvent(ActivityManager::DECK_OBJECT_CARD, $card, ActivityManager::SUBJECT_LABEL_UNASSING, ['label' => $label]); $this->activityManager->triggerEvent(ActivityManager::DECK_OBJECT_CARD, $card, ActivityManager::SUBJECT_LABEL_UNASSING, ['label' => $label]);