check permission on notify-due

check permission on notify-due

Signed-off-by: samin-z <samin.zavarkesh@gmail.com>

[skip ci]

Author: samin-z

lib/Controller/ConfigController.php

@@ -6,6 +6,8 @@
 
 namespace OCA\Deck\Controller;
 
+use OCA\Deck\Db\Acl;
+use OCA\Deck\Db\BoardMapper;
 use OCA\Deck\Service\ConfigService;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\NotFoundResponse;
@@ -17,6 +19,8 @@ public function __construct(
 		$AppName,
 		IRequest $request,
 		private ConfigService $configService,
+		private PermissionService $permissionService,
+		private BoardMapper $boardMapper,
 	) {
 		parent::__construct($AppName, $request);
 	}

lib/Service/ConfigService.php

@@ -157,7 +157,12 @@ public function set($key, $value) {
 				$result = $value;
 				break;
 			case 'board':
-				[$boardId, $boardConfigKey] = explode(':', $key);
+				// extra check that user only send one of the allowed board settings and not something random
+				$parts = explode(':', $key, 3);
+				if (count($parts) < 3) {
+					break;
+				}
+				$boardConfigKey = $parts[2];
 				if ($boardConfigKey === 'notify-due' && !in_array($value, [self::SETTING_BOARD_NOTIFICATION_DUE_ALL, self::SETTING_BOARD_NOTIFICATION_DUE_ASSIGNED, self::SETTING_BOARD_NOTIFICATION_DUE_OFF], true)) {
 					throw new BadRequestException('Board notification option must be one of: off, assigned, all');
 				}