Make sure users can only see their favorites

2020-09-05 16:33:12 +02:00 · 2020-09-05 16:33:12 +02:00 · 530f07ce4d
parent d0f2b216e0
commit 530f07ce4d
5 changed files with 23 additions and 10 deletions
--- a/pkg/models/kanban.go
+++ b/pkg/models/kanban.go
@ -128,7 +128,7 @@ func (b *Bucket) ReadAll(auth web.Auth, search string, page int, perPage int) (r
 			},
 		},
 	}
-	tasks, _, _, err := getTasksForLists([]*List{{ID: b.ListID}}, opts)
+	tasks, _, _, err := getTasksForLists([]*List{{ID: b.ListID}}, auth, opts)
 	if err != nil {
 		return
 	}
--- a/pkg/models/label.go
+++ b/pkg/models/label.go
@ -217,7 +217,7 @@ func getUserTaskIDs(u *user.User) (taskIDs []int64, err error) {
 		return nil, err
 	}

-	tasks, _, _, err := getRawTasksForLists(lists, &taskOptions{
+	tasks, _, _, err := getRawTasksForLists(lists, u, &taskOptions{
 		page:    -1,
 		perPage: 0,
 	})
--- a/pkg/models/list_duplicate.go
+++ b/pkg/models/list_duplicate.go
@ -106,7 +106,7 @@ func (ld *ListDuplicate) Create(a web.Auth) (err error) {
 	log.Debugf("Duplicated all buckets from list %d into %d", ld.ListID, ld.List.ID)

 	// Get all tasks + all task details
-	tasks, _, _, err := getTasksForLists([]*List{{ID: ld.ListID}}, &taskOptions{})
+	tasks, _, _, err := getTasksForLists([]*List{{ID: ld.ListID}}, a, &taskOptions{})
 	if err != nil {
 		return err
 	}
--- a/pkg/models/task_collection.go
+++ b/pkg/models/task_collection.go
@ -150,7 +150,7 @@ func (tf *TaskCollection) ReadAll(a web.Auth, search string, page int, perPage i
 		if err != nil {
 			return nil, 0, 0, err
 		}
-		return getTasksForLists([]*List{list}, taskopts)
+		return getTasksForLists([]*List{list}, a, taskopts)
 	}

 	// If the list ID is not set, we get all tasks for the user.
@ -176,5 +176,5 @@ func (tf *TaskCollection) ReadAll(a web.Auth, search string, page int, perPage i
 		tf.Lists = []*List{{ID: tf.ListID}}
 	}

-	return getTasksForLists(tf.Lists, taskopts)
+	return getTasksForLists(tf.Lists, a, taskopts)
 }
--- a/pkg/models/tasks.go
+++ b/pkg/models/tasks.go
@ -168,7 +168,7 @@ func (t *Task) ReadAll(a web.Auth, search string, page int, perPage int) (result
 	return nil, 0, 0, nil
 }

-func getRawTasksForLists(lists []*List, opts *taskOptions) (tasks []*Task, resultCount int, totalItems int64, err error) {
+func getRawTasksForLists(lists []*List, a web.Auth, opts *taskOptions) (tasks []*Task, resultCount int, totalItems int64, err error) {

 	// If the user does not have any lists, don't try to get any tasks
 	if len(lists) == 0 {
@ -289,8 +289,21 @@ func getRawTasksForLists(lists []*List, opts *taskOptions) (tasks []*Task, resul
 	}

 	if hasFavoriteLists {
-		// TODO: Make sure users can only see their favorites
-		listCond = builder.Or(listIDCond, builder.Eq{"is_favorite": true})
+		// Make sure users can only see their favorites
+		userLists, _, _, err := getRawListsForUser(&listOptions{
+			user: &user.User{ID: a.GetID()},
+			page: -1,
+		})
+		if err != nil {
+			return nil, 0, 0, err
+		}
+
+		userListIDs := make([]int64, len(userLists))
+		for _, l := range userLists {
+			userListIDs = append(userListIDs, l.ID)
+		}
+
+		listCond = builder.Or(listIDCond, builder.And(builder.Eq{"is_favorite": true}, builder.In("list_id", userListIDs)))
 	}

 	query = query.Where(listCond)
@ -328,9 +341,9 @@ func getRawTasksForLists(lists []*List, opts *taskOptions) (tasks []*Task, resul
 	return tasks, len(tasks), totalItems, nil
 }

-func getTasksForLists(lists []*List, opts *taskOptions) (tasks []*Task, resultCount int, totalItems int64, err error) {
+func getTasksForLists(lists []*List, a web.Auth, opts *taskOptions) (tasks []*Task, resultCount int, totalItems int64, err error) {

-	tasks, resultCount, totalItems, err = getRawTasksForLists(lists, opts)
+	tasks, resultCount, totalItems, err = getRawTasksForLists(lists, a, opts)
 	if err != nil {
 		return nil, 0, 0, err
 	}