From e75ff1c1a01606b557aeb4a22833dff36d92c9d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julius=20H=C3=A4rtl?= Date: Thu, 4 Jan 2024 10:53:11 +0100 Subject: [PATCH] fix: limit to non-deleted cards MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Julius Härtl --- lib/Db/Card.php | 2 ++ lib/Service/BoardService.php | 2 +- lib/Service/CommentService.php | 9 +++------ lib/Service/PermissionService.php | 19 +++++++++++++------ lib/Sharing/ShareAPIHelper.php | 2 +- 5 files changed, 20 insertions(+), 14 deletions(-) diff --git a/lib/Db/Card.php b/lib/Db/Card.php index ed710d716..599a93a72 100644 --- a/lib/Db/Card.php +++ b/lib/Db/Card.php @@ -36,6 +36,8 @@ use Sabre\VObject\Component\VCalendar; * @method int getLastModified() * @method int getCreatedAt() * @method bool getArchived() + * @method int getDeletedAt() + * @method void setDeletedAt(int $deletedAt) * @method bool getNotified() * * @method void setLabels(Label[] $labels) diff --git a/lib/Service/BoardService.php b/lib/Service/BoardService.php index 3cf163d9e..e06b5d3a6 100644 --- a/lib/Service/BoardService.php +++ b/lib/Service/BoardService.php @@ -473,7 +473,7 @@ class BoardService { $newAcl = $this->aclMapper->insert($acl); $this->activityManager->triggerEvent(ActivityManager::DECK_OBJECT_BOARD, $newAcl, ActivityManager::SUBJECT_BOARD_SHARE, [], $this->userId); - $this->notificationHelper->sendBoardShared((int)$boardId, $acl); + $this->notificationHelper->sendBoardShared($boardId, $acl); $this->boardMapper->mapAcl($newAcl); $this->changeHelper->boardChanged($boardId); diff --git a/lib/Service/CommentService.php b/lib/Service/CommentService.php index e9768d710..c37b8cff2 100644 --- a/lib/Service/CommentService.php +++ b/lib/Service/CommentService.php @@ -84,17 +84,14 @@ class CommentService { * @throws BadRequestException * @throws NotFoundException|NoPermissionException */ - public function create(string $cardId, string $message, string $replyTo = '0'): DataResponse { - if (!is_numeric($cardId)) { - throw new BadRequestException('A valid card id must be provided'); - } + public function create(int $cardId, string $message, string $replyTo = '0'): DataResponse { $this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ); // Check if parent is a comment on the same card if ($replyTo !== '0') { try { $comment = $this->commentsManager->get($replyTo); - if ($comment->getObjectType() !== Application::COMMENT_ENTITY_TYPE || $comment->getObjectId() !== $cardId) { + if ($comment->getObjectType() !== Application::COMMENT_ENTITY_TYPE || (int)$comment->getObjectId() !== $cardId) { throw new CommentNotFoundException(); } } catch (CommentNotFoundException $e) { @@ -103,7 +100,7 @@ class CommentService { } try { - $comment = $this->commentsManager->create('users', $this->userId, Application::COMMENT_ENTITY_TYPE, $cardId); + $comment = $this->commentsManager->create('users', $this->userId, Application::COMMENT_ENTITY_TYPE, (string)$cardId); $comment->setMessage($message); $comment->setVerb('comment'); $comment->setParentId($replyTo); diff --git a/lib/Service/PermissionService.php b/lib/Service/PermissionService.php index d178d9a8b..9519926b0 100644 --- a/lib/Service/PermissionService.php +++ b/lib/Service/PermissionService.php @@ -29,6 +29,7 @@ use OCA\Deck\Db\Acl; use OCA\Deck\Db\AclMapper; use OCA\Deck\Db\Board; use OCA\Deck\Db\BoardMapper; +use OCA\Deck\Db\CardMapper; use OCA\Deck\Db\IPermissionMapper; use OCA\Deck\Db\User; use OCA\Deck\NoPermissionException; @@ -138,13 +139,10 @@ class PermissionService { /** * check permissions for replacing dark magic middleware * - * @param $mapper IPermissionMapper|null null if $id is a boardId - * @param $id int unique identifier of the Entity - * @param $permission int - * @return bool + * @param numeric $id * @throws NoPermissionException */ - public function checkPermission($mapper, $id, $permission, $userId = null) { + public function checkPermission($mapper, $id, $permission, $userId = null, bool $allowDeletedCard = false) { $boardId = $id; if ($mapper instanceof IPermissionMapper && !($mapper instanceof BoardMapper)) { $boardId = $mapper->findBoardId($id); @@ -158,7 +156,16 @@ class PermissionService { throw new NoPermissionException('Permission denied'); } - if ($this->userIsBoardOwner($boardId, $userId)) { + $permissions = $this->getPermissions($boardId, $userId); + if ($permissions[$permission] === true) { + + if (!$allowDeletedCard && $mapper instanceof CardMapper) { + $card = $mapper->find($id); + if ($card->getDeletedAt() > 0) { + throw new NoPermissionException('Card is deleted'); + } + } + return true; } diff --git a/lib/Sharing/ShareAPIHelper.php b/lib/Sharing/ShareAPIHelper.php index 5528b6a92..41a5dfc6d 100644 --- a/lib/Sharing/ShareAPIHelper.php +++ b/lib/Sharing/ShareAPIHelper.php @@ -115,7 +115,7 @@ class ShareAPIHelper { */ public function canAccessShare(IShare $share, string $user): bool { try { - $this->permissionService->checkPermission($this->cardMapper, $share->getSharedWith(), Acl::PERMISSION_READ, $user); + $this->permissionService->checkPermission($this->cardMapper, (int)$share->getSharedWith(), Acl::PERMISSION_READ, $user); } catch (NoPermissionException $e) { return false; }