ahtlon/deck
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Check for the card permissions based on attachment id

Browse Source 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
This commit is contained in:
Julius Härtl
2020-07-07 15:33:52 +02:00
parent 20a73c6bf2
commit cd0b3b29f1
1 changed files with 26 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
lib/Service/AttachmentService.php
View File

@@ -231,8 +231,12 @@ class AttachmentService {
throw new BadRequestException('attachment id must be a number'); throw new BadRequestException('attachment id must be a number');
} }
$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ); try {
$attachment = $this->attachmentMapper->find($attachmentId); $attachment = $this->attachmentMapper->find($attachmentId);
} catch (\Exception $e) {
throw new NoPermissionException('Permission denied');
}
$this->permissionService->checkPermission($this->cardMapper, $attachment->getCardId(), Acl::PERMISSION_READ);
try { try {
$service = $this->getService($attachment->getType()); $service = $this->getService($attachment->getType());
@@ -266,11 +270,15 @@ class AttachmentService {
if ($data === false || $data === null) { if ($data === false || $data === null) {
//throw new BadRequestException('data must be provided'); //throw new BadRequestException('data must be provided');
} }
try {
$attachment = $this->attachmentMapper->find($attachmentId);
} catch (\Exception $e) {
throw new NoPermissionException('Permission denied');
}
$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_EDIT); $this->permissionService->checkPermission($this->cardMapper, $attachment->getCardId(), Acl::PERMISSION_EDIT);
$this->cache->clear('card-' . $cardId); $this->cache->clear('card-' . $cardId);
$attachment = $this->attachmentMapper->find($attachmentId);
$attachment->setData($data); $attachment->setData($data);
try { try {
$service = $this->getService($attachment->getType()); $service = $this->getService($attachment->getType());
@@ -313,10 +321,15 @@ class AttachmentService {
throw new BadRequestException('attachment id must be a number'); throw new BadRequestException('attachment id must be a number');
} }
$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_EDIT); try {
$attachment = $this->attachmentMapper->find($attachmentId);
} catch (\Exception $e) {
throw new NoPermissionException('Permission denied');
}
$this->permissionService->checkPermission($this->cardMapper, $attachment->getCardId(), Acl::PERMISSION_EDIT);
$this->cache->clear('card-' . $cardId); $this->cache->clear('card-' . $cardId);
$attachment = $this->attachmentMapper->find($attachmentId);
try { try {
$service = $this->getService($attachment->getType()); $service = $this->getService($attachment->getType());
if ($service->allowUndo()) { if ($service->allowUndo()) {
@@ -343,10 +356,15 @@ class AttachmentService {
throw new BadRequestException('attachment id must be a number'); throw new BadRequestException('attachment id must be a number');
} }
$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_EDIT); try {
$attachment = $this->attachmentMapper->find($attachmentId);
} catch (\Exception $e) {
throw new NoPermissionException('Permission denied');
}
$this->permissionService->checkPermission($this->cardMapper, $attachment->getCardId(), Acl::PERMISSION_EDIT);
$this->cache->clear('card-' . $cardId); $this->cache->clear('card-' . $cardId);
$attachment = $this->attachmentMapper->find($attachmentId);
try { try {
$service = $this->getService($attachment->getType()); $service = $this->getService($attachment->getType());
if ($service->allowUndo()) { if ($service->allowUndo()) {