From 8229d40981bec75bad6322ad7918dd2b6a62a486 Mon Sep 17 00:00:00 2001
From: Luka Trovic <luka@nextcloud.com>
Date: Fri, 25 Jul 2025 16:21:10 +0200
Subject: [PATCH] fix: acl check when delete, update board acl

Signed-off-by: Luka Trovic <luka@nextcloud.com>
---
 lib/Service/BoardService.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/Service/BoardService.php b/lib/Service/BoardService.php
index 45ec3d1a9..b88111add 100644
--- a/lib/Service/BoardService.php
+++ b/lib/Service/BoardService.php
@@ -320,14 +320,14 @@ class BoardService {
 		return $board;
 	}
 
-	private function applyPermissions($boardId, $edit, $share, $manage) {
+	private function applyPermissions($boardId, $edit, $share, $manage, $oldAcl = null) {
 		try {
 			$this->permissionService->checkPermission($this->boardMapper, $boardId, Acl::PERMISSION_MANAGE);
 		} catch (NoPermissionException $e) {
 			$acls = $this->aclMapper->findAll($boardId);
-			$edit = $this->permissionService->userCan($acls, Acl::PERMISSION_EDIT, $this->userId) && $edit;
-			$share = $this->permissionService->userCan($acls, Acl::PERMISSION_SHARE, $this->userId) && $share;
-			$manage = $this->permissionService->userCan($acls, Acl::PERMISSION_MANAGE, $this->userId) && $manage;
+			$edit = $this->permissionService->userCan($acls, Acl::PERMISSION_EDIT, $this->userId) ? $edit : $oldAcl?->getPermissionEdit() ?? false;
+			$share = $this->permissionService->userCan($acls, Acl::PERMISSION_SHARE, $this->userId) ? $share : $oldAcl?->getPermissionShare() ?? false;
+			$manage = $this->permissionService->userCan($acls, Acl::PERMISSION_MANAGE, $this->userId) ? $manage : $oldAcl?->getPermissionManage() ?? false;
 		}
 		return [$edit, $share, $manage];
 	}
@@ -417,7 +417,7 @@ class BoardService {
 
 		/** @var Acl $acl */
 		$acl = $this->aclMapper->find($id);
-		[$edit, $share, $manage] = $this->applyPermissions($acl->getBoardId(), $edit, $share, $manage);
+		[$edit, $share, $manage] = $this->applyPermissions($acl->getBoardId(), $edit, $share, $manage, $acl);
 		$acl->setPermissionEdit($edit);
 		$acl->setPermissionShare($share);
 		$acl->setPermissionManage($manage);
@@ -439,7 +439,7 @@ class BoardService {
 	 * @throws NotFoundExceptionInterface
 	 */
 	public function deleteAcl(int $id): ?Acl {
-		$this->permissionService->checkPermission($this->aclMapper, $id, Acl::PERMISSION_SHARE);
+		$this->permissionService->checkPermission($this->aclMapper, $id, Acl::PERMISSION_MANAGE);
 		/** @var Acl $acl */
 		$acl = $this->aclMapper->find($id);
 		$this->boardMapper->mapAcl($acl);