ahtlon/deck
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Properly validate provided parent comment

Browse Source 
Signed-off-by: Julius Härtl <jus@bitgrid.net>
This commit is contained in:
Julius Härtl
2020-06-13 13:11:07 +02:00
parent 925465763a
commit f808c0551d
1 changed files with 25 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
lib/Service/CommentService.php
View File

@@ -88,13 +88,26 @@ class CommentService {
* @param string $replyTo * @param string $replyTo
* @return DataResponse * @return DataResponse
* @throws BadRequestException * @throws BadRequestException
* @throws NotFoundException * @throws NotFoundException|NoPermissionException
*/ */
public function create(string $cardId, string $message, string $replyTo = '0'): DataResponse { public function create(string $cardId, string $message, string $replyTo = '0'): DataResponse {
if (!is_numeric($cardId)) { if (!is_numeric($cardId)) {
throw new BadRequestException('A valid card id must be provided'); throw new BadRequestException('A valid card id must be provided');
} }
$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ); $this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ);
// Check if parent is a comment on the same card
if ($replyTo !== '0') {
try {
$comment = $this->commentsManager->get($replyTo);
if ($comment->getObjectType() !== Application::COMMENT_ENTITY_TYPE || $comment->getObjectId() !== $cardId) {
throw new CommentNotFoundException();
}
} catch (CommentNotFoundException $e) {
throw new BadRequestException('Invalid parent id: The parent comment was not found or belongs to a different card');
}
}
try { try {
$comment = $this->commentsManager->create('users', $this->userId, Application::COMMENT_ENTITY_TYPE, $cardId); $comment = $this->commentsManager->create('users', $this->userId, Application::COMMENT_ENTITY_TYPE, $cardId);
$comment->setMessage($message); $comment->setMessage($message);
@@ -122,12 +135,19 @@ class CommentService {
$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ); $this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ);
try { try {
$comment = $this->commentsManager->get($commentId); $comment = $this->commentsManager->get($commentId);
if ($comment->getObjectType() !== Application::COMMENT_ENTITY_TYPE || $comment->getObjectId() !== $cardId) {
throw new CommentNotFoundException();
}
} catch (CommentNotFoundException $e) { } catch (CommentNotFoundException $e) {
throw new NotFoundException('No comment found.'); throw new NotFoundException('No comment found.');
} }
if ($comment->getActorType() !== 'users' || $comment->getActorId() !== $this->userId) { if ($comment->getActorType() !== 'users' || $comment->getActorId() !== $this->userId) {
throw new NoPermissionException('Only authors are allowed to edit their comment.'); throw new NoPermissionException('Only authors are allowed to edit their comment.');
} }
if ($comment->getParentId() !== '0') {
$this->permissionService->checkPermission($this->cardMapper, $comment->getParentId(), Acl::PERMISSION_READ);
}
$comment->setMessage($message); $comment->setMessage($message);
$this->commentsManager->save($comment); $this->commentsManager->save($comment);
return new DataResponse($this->formatComment($comment)); return new DataResponse($this->formatComment($comment));
@@ -141,8 +161,12 @@ class CommentService {
throw new BadRequestException('A valid comment id must be provided'); throw new BadRequestException('A valid comment id must be provided');
} }
$this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ); $this->permissionService->checkPermission($this->cardMapper, $cardId, Acl::PERMISSION_READ);
try { try {
$comment = $this->commentsManager->get($commentId); $comment = $this->commentsManager->get($commentId);
if ($comment->getObjectType() !== Application::COMMENT_ENTITY_TYPE || $comment->getObjectId() !== $cardId) {
throw new CommentNotFoundException();
}
} catch (CommentNotFoundException $e) { } catch (CommentNotFoundException $e) {
throw new NotFoundException('No comment found.'); throw new NotFoundException('No comment found.');
} }