Skip to content

Commit

Permalink
Merge pull request #1423 from nextcloud/backport/1421/stable0.8
Browse files Browse the repository at this point in the history
  • Loading branch information
@juliusknorr
juliusknorr authored Oct 16, 2024
2 parents 238ec79 + ad3af8f commit 82309d7
Show file tree
Hide file tree
Showing 4 changed files with 576 additions and 4 deletions.
27 changes: 24 additions & 3 deletions lib/Service/RowService.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -344,6 +344,7 @@ private function getRowById(int $rowId): Row2 {
*
* @throws InternalError
* @throws NotFoundError
* @throws PermissionError
* @noinspection DuplicatedCode
*/
public function updateSet(
Expand All @@ -364,10 +365,15 @@ public function updateSet(

if ($viewId) {
// security
if (!$this->permissionsService->canReadRowsByElementId($viewId, 'view', $userId)) {
$e = new \Exception('Row not found.');
$this->logger->error($e->getMessage(), ['exception' => $e]);
throw new NotFoundError(get_class($this) . ' - ' . __FUNCTION__ . ': '.$e->getMessage());
}
if (!$this->permissionsService->canUpdateRowsByViewId($viewId)) {
$e = new \Exception('Update row is not allowed.');
$this->logger->error($e->getMessage(), ['exception' => $e]);
throw new InternalError(get_class($this) . ' - ' . __FUNCTION__ . ': '.$e->getMessage());
throw new PermissionError(get_class($this) . ' - ' . __FUNCTION__ . ': '.$e->getMessage());
}

try {
Expand Down Expand Up @@ -399,10 +405,15 @@ public function updateSet(
$tableId = $item->getTableId();

// security
if (!$this->permissionsService->canReadRowsByElementId($item->getTableId(), 'table', $userId)) {
$e = new \Exception('Row not found.');
$this->logger->error($e->getMessage(), ['exception' => $e]);
throw new NotFoundError(get_class($this) . ' - ' . __FUNCTION__ . ': '.$e->getMessage());
}
if (!$this->permissionsService->canUpdateRowsByTableId($tableId)) {
$e = new \Exception('Update row is not allowed.');
$this->logger->error($e->getMessage(), ['exception' => $e]);
throw new InternalError(get_class($this) . ' - ' . __FUNCTION__ . ': '.$e->getMessage());
throw new PermissionError(get_class($this) . ' - ' . __FUNCTION__ . ': '.$e->getMessage());
}
try {
$columns = $this->columnMapper->findAllByTable($tableId);
Expand Down Expand Up @@ -456,10 +467,15 @@ public function delete(int $id, ?int $viewId, string $userId): Row2 {

if ($viewId) {
// security
if (!$this->permissionsService->canReadRowsByElementId($viewId, 'view', $userId)) {
$e = new \Exception('Row not found.');
$this->logger->error($e->getMessage(), ['exception' => $e]);
throw new NotFoundError(get_class($this) . ' - ' . __FUNCTION__ . ': '.$e->getMessage());
}
if (!$this->permissionsService->canDeleteRowsByViewId($viewId)) {
$e = new \Exception('Update row is not allowed.');
$this->logger->error($e->getMessage(), ['exception' => $e]);
throw new InternalError(get_class($this) . ' - ' . __FUNCTION__ . ': '.$e->getMessage());
throw new PermissionError(get_class($this) . ' - ' . __FUNCTION__ . ': '.$e->getMessage());
}
try {
$view = $this->viewMapper->find($viewId);
Expand All @@ -474,6 +490,11 @@ public function delete(int $id, ?int $viewId, string $userId): Row2 {
}
} else {
// security
if (!$this->permissionsService->canReadRowsByElementId($item->getTableId(), 'table', $userId)) {
$e = new \Exception('Row not found.');
$this->logger->error($e->getMessage(), ['exception' => $e]);
throw new NotFoundError(get_class($this) . ' - ' . __FUNCTION__ . ': '.$e->getMessage());
}
if (!$this->permissionsService->canDeleteRowsByTableId($item->getTableId())) {
$e = new \Exception('Update row is not allowed.');
$this->logger->error($e->getMessage(), ['exception' => $e]);
Expand Down
Loading

0 comments on commit 82309d7

Please sign in to comment.