fix: Further limit updating cards

Signed-off-by: Julius Härtl <jus@bitgrid.net>
nextcloud · Jan 4, 2024 · f4791aa · f4791aa
1 parent 86d2d1a
commit f4791aa
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 7 deletions.
diff --git a/lib/Service/CardService.php b/lib/Service/CardService.php
@@ -298,7 +298,7 @@ public function delete($id) {
 	public function update($id, $title, $stackId, $type, $owner, $description = '', $order = 0, $duedate = null, $deletedAt = null, $archived = null, ?OptionalNullableValue $done = null) {
 		$this->cardServiceValidator->check(compact('id', 'title', 'stackId', 'type', 'owner', 'order'));
 
-		$this->permissionService->checkPermission($this->cardMapper, $id, Acl::PERMISSION_EDIT);
+		$this->permissionService->checkPermission($this->cardMapper, $id, Acl::PERMISSION_EDIT, allowDeletedCard: true);
 		$this->permissionService->checkPermission($this->stackMapper, $stackId, Acl::PERMISSION_EDIT);
 
 		if ($this->boardService->isArchived($this->cardMapper, $id)) {
@@ -310,9 +310,9 @@ public function update($id, $title, $stackId, $type, $owner, $description = '',
 		}
 
 		if ($card->getDeletedAt() !== 0) {
-			if ($deletedAt === null) {
+			if ($deletedAt === null || $deletedAt > 0) {
 				// Only allow operations when restoring the card
-				throw new StatusException('Operation not allowed. This card was deleted.');
+				throw new NoPermissionException('Operation not allowed. This card was deleted.');
 			}
 		}
 

diff --git a/tests/integration/features/bootstrap/BoardContext.php b/tests/integration/features/bootstrap/BoardContext.php
@@ -294,6 +294,7 @@ public function getRememberedCard($arg1) {
 	 */
 	public function deleteTheCard() {
 		$this->requestContext->sendJSONrequest('DELETE', '/index.php/apps/deck/cards/' . $this->card['id']);
+		$this->card['deletedAt'] = time();
 	}
 
 	/**

diff --git a/tests/integration/features/decks.feature b/tests/integration/features/decks.feature
@@ -126,7 +126,7 @@ Feature: decks
 		# We currently still expect to be able to update the card as this is used to undo deletion
 		When set the description to "Update some text"
 		Then the response should have a status code 403
-		#When set the card attribute "deletedAt" to "0"
-		#Then the response should have a status code 200
-		#When set the description to "Update some text"
-		#Then the response should have a status code 200
+		When set the card attribute "deletedAt" to "0"
+		Then the response should have a status code 200
+		When set the description to "Update some text"
+		Then the response should have a status code 200