diff --git a/src/api/controllers/Columns.php b/src/api/controllers/Columns.php index f71461b..922d597 100644 --- a/src/api/controllers/Columns.php +++ b/src/api/controllers/Columns.php @@ -11,7 +11,6 @@ class Columns extends BaseController { } $column = new Column($this->container, (int)$args['id']); - // TODO: Verify user has board access if ($column->id === 0) { $this->logger->addError('Attempt to load column ' . @@ -22,6 +21,10 @@ class Columns extends BaseController { return $this->jsonResponse($response); } + if (!$this->checkBoardAccess($column->board_id, $request)) { + return $this->jsonResponse($response, 403); + } + $this->apiJson->setSuccess(); $this->apiJson->addData($column); @@ -35,13 +38,12 @@ class Columns extends BaseController { return $this->jsonResponse($response, $status); } - // TODO: Verify user has board access - $actor = new User($this->container, Auth::GetUserId($request)); - $column = new Column($this->container); $column->loadFromJson($request->getBody()); - if (!$column->save()) { + $board = new Board($this->container, $column->board_id); + + if ($board->id === 0) { $this->logger->addError('Add Column: ', [$column]); $this->apiJson->addAlert('error', 'Error adding column. ' . 'Please try again.'); @@ -49,6 +51,14 @@ class Columns extends BaseController { return $this->jsonResponse($response); } + if (!$this->checkBoardAccess($column->board_id, $request)) { + return $this->jsonResponse($response, 403); + } + + $column->save(); + + $actor = new User($this->container, Auth::GetUserId($request)); + $this->dbLogger->logChange($this->container, $actor->id, $actor->username . ' added column ' . $column->name . '.', '', json_encode($column), 'column', $column->id); @@ -67,10 +77,12 @@ class Columns extends BaseController { return $this->jsonResponse($response, $status); } - // TODO: Verify user has board access - $actor = new User($this->container, Auth::GetUserId($request)); - $column = new Column($this->container, (int)$args['id']); + + if (!$this->checkBoardAccess($column->board_id, $request)) { + return $this->jsonResponse($response, 403); + } + $update = new Column($this->container); $update->loadFromJson($request->getBody()); @@ -84,6 +96,7 @@ class Columns extends BaseController { $update->save(); + $actor = new User($this->container, Auth::GetUserId($request)); $this->dbLogger->logChange($this->container, $actor->id, $actor->username . ' updated column ' . $update->name, json_encode($column), json_encode($update), @@ -103,9 +116,6 @@ class Columns extends BaseController { return $this->jsonResponse($response, $status); } - // TODO: Verify user has board access - $actor = new User($this->container, Auth::GetUserId($request)); - $id = (int)$args['id']; $column = new Column($this->container, $id); @@ -117,9 +127,14 @@ class Columns extends BaseController { return $this->jsonResponse($response); } + if (!$this->checkBoardAccess($column->board_id, $request)) { + return $this->jsonResponse($response, 403); + } + $before = $column; $column->delete(); + $actor = new User($this->container, Auth::GetUserId($request)); $this->dbLogger->logChange($this->container, $actor->id, $actor->username . ' removed column ' . $before->name, json_encode($before), '', 'column', $id); diff --git a/test/api/controllers/BoardsTest.php b/test/api/controllers/BoardsTest.php index c59a2de..1f922ab 100644 --- a/test/api/controllers/BoardsTest.php +++ b/test/api/controllers/BoardsTest.php @@ -1,9 +1,6 @@ alerts[0]['text']); } + public function testGetColumnForbidden() { + $this->createColumn(); + + DataMock::createBoardAdminUser(); + + $args = []; + $args['id'] = 1; + + $request = new RequestMock(); + $request->header = [DataMock::getJwt(2)]; + + $this->columns = new Columns(new ContainerMock()); + + $actual = $this->columns->getColumn($request, + new ResponseMock(), $args); + $this->assertEquals('Access restricted.', + $actual->alerts[0]['text']); + } + public function testAddRemoveColumn() { $actual = $this->createColumn(); $this->assertEquals('success', $actual->status); @@ -122,6 +141,44 @@ class ColumnsTest extends PHPUnit_Framework_TestCase { $this->assertEquals('failure', $response->status); } + public function testAddColumnForbidden() { + $this->createColumn(); + + DataMock::createBoardAdminUser(); + + $column = DataMock::getColumn(); + $column->id = 0; + + $request = new RequestMock(); + $request->header = [DataMock::getJwt(2)]; + $request->payload = $column; + + $this->columns = new Columns(new ContainerMock()); + + $actual = $this->columns->addColumn($request, + new ResponseMock(), null); + $this->assertEquals('Access restricted.', + $actual->alerts[0]['text']); + } + + public function testRemoveColumnForbidden() { + $this->createColumn(); + + DataMock::createBoardAdminUser(); + + $args = []; + $args['id'] = 1; + + $request = new RequestMock(); + $request->header = [DataMock::getJwt(2)]; + + $this->columns = new Columns(new ContainerMock()); + + $actual = $this->columns->removeColumn($request, + new ResponseMock(), $args); + $this->assertEquals('Access restricted.', + $actual->alerts[0]['text']); + } public function testUpdateColumn() { $this->createColumn(); @@ -170,12 +227,56 @@ class ColumnsTest extends PHPUnit_Framework_TestCase { $actual->alerts[0]['text']); } + public function testUpdateColumnForbidden() { + $this->createColumn(); + + DataMock::createBoardAdminUser(); + + $column = DataMock::getColumn(); + $column->name = 'test'; + + $args = []; + $args['id'] = $column->id; + + $request = new RequestMock(); + $request->header = [DataMock::getJwt(2)]; + $request->payload = $column; + + $this->columns = new Columns(new ContainerMock()); + + $actual = $this->columns->updateColumn($request, + new ResponseMock(), $args); + $this->assertEquals('Access restricted.', + $actual->alerts[0]['text']); + } + + private function createBoard() { + $request = new RequestMock(); + $request->header = [DataMock::getJwt()]; + + $board = DataMock::getBoard(); + $board->id = 0; + + $request->payload = $board; + $boards = new Boards(new ContainerMock()); + + $response = $boards->addBoard($request, + new ResponseMock(), null); + $this->assertEquals('success', $response->status); + + return $response; + } + private function createColumn() { + $this->createBoard(); + $request = new RequestMock(); $request->header = [DataMock::getJwt()]; $column = DataMock::getColumn(); $column->id = 0; + $column->name = 'testing'; + $column->tasks = []; $request->payload = $column;