Merge pull request #7994 from nextcloud/backport/7990/stable30

[stable30] fix: board notify-due

Author: samin-z

lib/Controller/ConfigController.php

@@ -6,7 +6,10 @@
 
 namespace OCA\Deck\Controller;
 
+use OCA\Deck\Db\Acl;
+use OCA\Deck\Db\BoardMapper;
 use OCA\Deck\Service\ConfigService;
+use OCA\Deck\Service\PermissionService;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\NotFoundResponse;
 use OCP\AppFramework\OCSController;
@@ -17,6 +20,8 @@ public function __construct(
 		$AppName,
 		IRequest $request,
 		private ConfigService $configService,
+		private PermissionService $permissionService,
+		private BoardMapper $boardMapper,
 	) {
 		parent::__construct($AppName, $request);
 	}
@@ -34,6 +39,14 @@ public function get(): DataResponse {
 	 * @NoAdminRequired
 	 */
 	public function setValue(string $key, $value) {
+		if (preg_match('/^board:(\d+):/', $key, $matches) === 1) {
+			$this->permissionService->checkPermission(
+				$this->boardMapper,
+				(int)$matches[1],
+				Acl::PERMISSION_EDIT,
+			);
+		}
+
 		$result = $this->configService->set($key, $value);
 		if ($result === null) {
 			return new NotFoundResponse();

lib/Service/ConfigService.php

@@ -157,7 +157,12 @@ public function set($key, $value) {
 				$result = $value;
 				break;
 			case 'board':
-				[$boardId, $boardConfigKey] = explode(':', $key);
+				// extra check that user only send one of the allowed board settings and not something random
+				$parts = explode(':', $key, 3);
+				if (count($parts) < 3) {
+					break;
+				}
+				$boardConfigKey = $parts[2];
 				if ($boardConfigKey === 'notify-due' && !in_array($value, [self::SETTING_BOARD_NOTIFICATION_DUE_ALL, self::SETTING_BOARD_NOTIFICATION_DUE_ASSIGNED, self::SETTING_BOARD_NOTIFICATION_DUE_OFF], true)) {
 					throw new BadRequestException('Board notification option must be one of: off, assigned, all');
 				}