ahtlon/deck
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

fix: Further limit updating cards

Browse Source 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
This commit is contained in:
Julius Härtl
2024-01-04 14:01:24 +01:00
parent 86d2d1a0f3
commit f4791aa4a4
3 changed files with 8 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
lib/Service/CardService.php
View File

@@ -298,7 +298,7 @@ class CardService {
public function update($id, $title, $stackId, $type, $owner, $description = '', $order = 0, $duedate = null, $deletedAt = null, $archived = null, ?OptionalNullableValue $done = null) { public function update($id, $title, $stackId, $type, $owner, $description = '', $order = 0, $duedate = null, $deletedAt = null, $archived = null, ?OptionalNullableValue $done = null) {
$this->cardServiceValidator->check(compact('id', 'title', 'stackId', 'type', 'owner', 'order')); $this->cardServiceValidator->check(compact('id', 'title', 'stackId', 'type', 'owner', 'order'));
$this->permissionService->checkPermission($this->cardMapper, $id, Acl::PERMISSION_EDIT); $this->permissionService->checkPermission($this->cardMapper, $id, Acl::PERMISSION_EDIT, allowDeletedCard: true);
$this->permissionService->checkPermission($this->stackMapper, $stackId, Acl::PERMISSION_EDIT); $this->permissionService->checkPermission($this->stackMapper, $stackId, Acl::PERMISSION_EDIT);
if ($this->boardService->isArchived($this->cardMapper, $id)) { if ($this->boardService->isArchived($this->cardMapper, $id)) {
@@ -310,9 +310,9 @@ class CardService {
} }
if ($card->getDeletedAt() !== 0) { if ($card->getDeletedAt() !== 0) {
if ($deletedAt === null) { if ($deletedAt === null || $deletedAt > 0) {
// Only allow operations when restoring the card // Only allow operations when restoring the card
throw new StatusException('Operation not allowed. This card was deleted.'); throw new NoPermissionException('Operation not allowed. This card was deleted.');
} }
} }

1
tests/integration/features/bootstrap/BoardContext.php
View File

@@ -294,6 +294,7 @@ class BoardContext implements Context {
*/ */
public function deleteTheCard() { public function deleteTheCard() {
$this->requestContext->sendJSONrequest('DELETE', '/index.php/apps/deck/cards/' . $this->card['id']); $this->requestContext->sendJSONrequest('DELETE', '/index.php/apps/deck/cards/' . $this->card['id']);
$this->card['deletedAt'] = time();
} }
/** /**

8
tests/integration/features/decks.feature
View File

@@ -126,7 +126,7 @@ Feature: decks
# We currently still expect to be able to update the card as this is used to undo deletion # We currently still expect to be able to update the card as this is used to undo deletion
When set the description to "Update some text" When set the description to "Update some text"
Then the response should have a status code 403 Then the response should have a status code 403
#When set the card attribute "deletedAt" to "0" When set the card attribute "deletedAt" to "0"
#Then the response should have a status code 200 Then the response should have a status code 200
#When set the description to "Update some text" When set the description to "Update some text"
#Then the response should have a status code 200 Then the response should have a status code 200