Merge pull request #7990 from nextcloud/fix/board-preference-permissions

fix: board notify-due

Author: samin-z

lib/Controller/ConfigController.php

@@ -7,7 +7,10 @@
 
 namespace OCA\Deck\Controller;
 
+use OCA\Deck\Db\Acl;
+use OCA\Deck\Db\BoardMapper;
 use OCA\Deck\Service\ConfigService;
+use OCA\Deck\Service\PermissionService;
 use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
 use OCP\AppFramework\Http\DataResponse;
@@ -20,6 +23,8 @@ public function __construct(
 		$AppName,
 		IRequest $request,
 		private ConfigService $configService,
+		private PermissionService $permissionService,
+		private BoardMapper $boardMapper,
 	) {
 		parent::__construct($AppName, $request);
 	}
@@ -33,6 +38,14 @@ public function get(): DataResponse {
 	#[NoAdminRequired]
 	#[NoCSRFRequired]
 	public function setValue(string $key, mixed $value): DataResponse|NotFoundResponse {
+		if (preg_match('/^board:(\d+):/', $key, $matches) === 1) {
+			$this->permissionService->checkPermission(
+				$this->boardMapper,
+				(int)$matches[1],
+				Acl::PERMISSION_EDIT,
+			);
+		}
+
 		$result = $this->configService->set($key, $value);
 		if ($result === null) {
 			return new NotFoundResponse();

lib/Service/ConfigService.php

@@ -183,7 +183,12 @@ public function set($key, $value) {
 				$result = $value;
 				break;
 			case 'board':
-				[$boardId, $boardConfigKey] = explode(':', $key);
+				// extra check that user only send one of the allowed board settings and not something random
+				$parts = explode(':', $key, 3);
+				if (count($parts) < 3) {
+					break;
+				}
+				$boardConfigKey = $parts[2];
 				if ($boardConfigKey === 'notify-due' && !in_array($value, [self::SETTING_BOARD_NOTIFICATION_DUE_ALL, self::SETTING_BOARD_NOTIFICATION_DUE_ASSIGNED, self::SETTING_BOARD_NOTIFICATION_DUE_OFF], true)) {
 					throw new BadRequestException('Board notification option must be one of: off, assigned, all');
 				}