From eb6327a14710fe5cc152e243205c5fbb9569938d Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Thu, 22 Apr 2021 16:44:42 +0200
Subject: [PATCH] Fix checking list rights when accessing a bucket

(Cherry-picked from 4ceeb877b188ab727c200a06fc77eabcdaf23224)
---
 pkg/models/kanban.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/pkg/models/kanban.go b/pkg/models/kanban.go
index 433764cb562..4dcdd642a96 100644
--- a/pkg/models/kanban.go
+++ b/pkg/models/kanban.go
@@ -99,6 +99,19 @@ func getDefaultBucket(s *xorm.Session, listID int64) (bucket *Bucket, err error)
 // @Router /lists/{id}/buckets [get]
 func (b *Bucket) ReadAll(s *xorm.Session, auth web.Auth, search string, page int, perPage int) (result interface{}, resultCount int, numberOfTotalItems int64, err error) {
 
+	list, err := GetListSimpleByID(s, b.ListID)
+	if err != nil {
+		return nil, 0, 0, err
+	}
+
+	can, _, err := list.CanRead(s, auth)
+	if err != nil {
+		return nil, 0, 0, err
+	}
+	if !can {
+		return nil, 0, 0, ErrGenericForbidden{}
+	}
+
 	// Note: I'm ignoring pagination for now since I've yet to figure out a way on how to make it work
 	// I'll probably just don't do it and instead make individual tasks archivable.