From 517d79156a11ec29c6cf3fa1eeaaaac7c45aa86e Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Mon, 29 Jan 2024 09:10:47 +0100
Subject: [PATCH] fix(activity): Fix permission checks when rendering
 activities in background jobs

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 lib/Activity/ActivityManager.php | 8 ++++----
 lib/Activity/DeckProvider.php    | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/Activity/ActivityManager.php b/lib/Activity/ActivityManager.php
index 8380112ab..b06fcee61 100644
--- a/lib/Activity/ActivityManager.php
+++ b/lib/Activity/ActivityManager.php
@@ -556,9 +556,9 @@ class ActivityManager {
 		];
 	}
 
-	public function canSeeCardActivity(int $cardId): bool {
+	public function canSeeCardActivity(int $cardId, string $userId): bool {
 		try {
-			$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ);
+			$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ, $userId);
 			$card = $this->cardMapper->find($cardId);
 			return $card->getDeletedAt() === 0;
 		} catch (NoPermissionException $e) {
@@ -566,9 +566,9 @@ class ActivityManager {
 		}
 	}
 
-	public function canSeeBoardActivity(int $boardId): bool {
+	public function canSeeBoardActivity(int $boardId, string $userId): bool {
 		try {
-			$this->permissionService->checkPermission($this->boardMapper, $boardId, Acl::PERMISSION_READ);
+			$this->permissionService->checkPermission($this->boardMapper, $boardId, Acl::PERMISSION_READ, $userId);
 			$board = $this->boardMapper->find($boardId);
 			return $board->getDeletedAt() === 0;
 		} catch (NoPermissionException $e) {
diff --git a/lib/Activity/DeckProvider.php b/lib/Activity/DeckProvider.php
index 9fcf6e1f0..12f9be73c 100644
--- a/lib/Activity/DeckProvider.php
+++ b/lib/Activity/DeckProvider.php
@@ -111,7 +111,7 @@ class DeckProvider implements IProvider {
 			$event->setAuthor($author);
 		}
 		if ($event->getObjectType() === ActivityManager::DECK_OBJECT_BOARD) {
-			if (!$this->activityManager->canSeeBoardActivity($event->getObjectId())) {
+			if (!$this->activityManager->canSeeBoardActivity($event->getObjectId(), $event->getAffectedUser())) {
 				throw new \InvalidArgumentException();
 			}
 			if (isset($subjectParams['board']) && $event->getObjectName() === '') {
@@ -128,7 +128,7 @@ class DeckProvider implements IProvider {
 		}
 
 		if (isset($subjectParams['card']) && $event->getObjectType() === ActivityManager::DECK_OBJECT_CARD) {
-			if (!$this->activityManager->canSeeCardActivity($event->getObjectId())) {
+			if (!$this->activityManager->canSeeCardActivity($event->getObjectId(), $event->getAffectedUser())) {
 				throw new \InvalidArgumentException();
 			}
 			if ($event->getObjectName() === '') {