ahtlon/deck
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Merge pull request #5544 from nextcloud/backport/5533/stable27

Browse Source 
[stable27] fix(activity): Fix permission checks when rendering activities in bac…
This commit is contained in:
Julius Härtl
2024-02-05 07:10:51 +01:00
committed by GitHub
parent 5495f35d46 517d79156a
commit db2d80a2b9
2 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
lib/Activity/ActivityManager.php
View File

@@ -556,9 +556,9 @@ class ActivityManager {
]; ];
} }
public function canSeeCardActivity(int $cardId): bool { public function canSeeCardActivity(int $cardId, string $userId): bool {
try { try {
$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ); $this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ, $userId);
$card = $this->cardMapper->find($cardId); $card = $this->cardMapper->find($cardId);
return $card->getDeletedAt() === 0; return $card->getDeletedAt() === 0;
} catch (NoPermissionException $e) { } catch (NoPermissionException $e) {
@@ -566,9 +566,9 @@ class ActivityManager {
} }
} }
public function canSeeBoardActivity(int $boardId): bool { public function canSeeBoardActivity(int $boardId, string $userId): bool {
try { try {
$this->permissionService->checkPermission($this->boardMapper, $boardId, Acl::PERMISSION_READ); $this->permissionService->checkPermission($this->boardMapper, $boardId, Acl::PERMISSION_READ, $userId);
$board = $this->boardMapper->find($boardId); $board = $this->boardMapper->find($boardId);
return $board->getDeletedAt() === 0; return $board->getDeletedAt() === 0;
} catch (NoPermissionException $e) { } catch (NoPermissionException $e) {

4
lib/Activity/DeckProvider.php
View File

@@ -111,7 +111,7 @@ class DeckProvider implements IProvider {
$event->setAuthor($author); $event->setAuthor($author);
} }
if ($event->getObjectType() === ActivityManager::DECK_OBJECT_BOARD) { if ($event->getObjectType() === ActivityManager::DECK_OBJECT_BOARD) {
if (!$this->activityManager->canSeeBoardActivity($event->getObjectId())) { if (!$this->activityManager->canSeeBoardActivity($event->getObjectId(), $event->getAffectedUser())) {
throw new \InvalidArgumentException(); throw new \InvalidArgumentException();
} }
if (isset($subjectParams['board']) && $event->getObjectName() === '') { if (isset($subjectParams['board']) && $event->getObjectName() === '') {
@@ -128,7 +128,7 @@ class DeckProvider implements IProvider {
} }
if (isset($subjectParams['card']) && $event->getObjectType() === ActivityManager::DECK_OBJECT_CARD) { if (isset($subjectParams['card']) && $event->getObjectType() === ActivityManager::DECK_OBJECT_CARD) {
if (!$this->activityManager->canSeeCardActivity($event->getObjectId())) { if (!$this->activityManager->canSeeCardActivity($event->getObjectId(), $event->getAffectedUser())) {
throw new \InvalidArgumentException(); throw new \InvalidArgumentException();
} }
if ($event->getObjectName() === '') { if ($event->getObjectName() === '') {