Ensure some things don't work with a link share auth

2019-08-31 15:18:20 +02:00 · 2019-08-31 15:18:20 +02:00 · cb701a1f74
parent 685988171c
commit cb701a1f74
6 changed files with 31 additions and 3 deletions
--- a/pkg/models/label_rights.go
+++ b/pkg/models/label_rights.go
@ -43,6 +43,11 @@ func (l *Label) CanCreate(a web.Auth) (bool, error) {
 }

 func (l *Label) isLabelOwner(a web.Auth) (bool, error) {
+
+	if _, is := a.(*LinkSharing); is {
+		return false, nil
+	}
+
 	lorig, err := getLabelByIDSimple(l.ID)
 	if err != nil {
 		return false, err
@ -52,6 +57,9 @@ func (l *Label) isLabelOwner(a web.Auth) (bool, error) {

 // Helper method to check if a user can see a specific label
 func (l *Label) hasAccessToLabel(a web.Auth) (bool, error) {
+
+	// TODO: add an extra check for link share handling
+
 	// Get all tasks
 	taskIDs, err := getUserTaskIDs(&User{ID: a.GetID()})
 	if err != nil {
--- a/pkg/models/link_sharing_rights.go
+++ b/pkg/models/link_sharing_rights.go
@ -20,6 +20,11 @@ import "code.vikunja.io/web"

 // CanRead implements the read right check for a link share
 func (share *LinkSharing) CanRead(a web.Auth) (bool, error) {
+	// Don't allow creating link shares if the user itself authenticated with a link share
+	if _, is := a.(*LinkSharing); is {
+		return false, nil
+	}
+
 	l, err := GetListByShareHash(share.Hash)
 	if err != nil {
 		return false, err
@ -43,6 +48,11 @@ func (share *LinkSharing) CanCreate(a web.Auth) (bool, error) {
 }

 func (share *LinkSharing) canDoLinkShare(a web.Auth) (bool, error) {
+	// Don't allow creating link shares if the user itself authenticated with a link share
+	if _, is := a.(*LinkSharing); is {
+		return false, nil
+	}
+
 	l, err := GetListByShareHash(share.Hash)
 	if err != nil {
 		return false, err
--- a/pkg/models/task_assignees_rights.go
+++ b/pkg/models/task_assignees_rights.go
@ -41,5 +41,5 @@ func canDoTaskAssingee(taskID int64, a web.Auth) (bool, error) {
 	if err != nil {
 		return false, err
 	}
-	return list.CanCreate(a)
+	return list.CanUpdate(a)
 }
--- a/pkg/models/tasks_rights.go
+++ b/pkg/models/tasks_rights.go
@ -47,8 +47,8 @@ func (t *Task) CanRead(a web.Auth) (canRead bool, err error) {
 	}

 	// A user can read a task if it has access to the list
-	list := &List{ID: t.ListID}
-	return list.CanRead(a)
+	l := &List{ID: t.ListID}
+	return l.CanRead(a)
 }

 // Helper function to check if a user can do stuff on a list task
--- a/pkg/models/team_members_rights.go
+++ b/pkg/models/team_members_rights.go
@ -32,6 +32,11 @@ func (tm *TeamMember) CanDelete(a web.Auth) (bool, error) {

 // IsAdmin checks if the user is team admin
 func (tm *TeamMember) IsAdmin(a web.Auth) (bool, error) {
+	// Don't allow anything if we're dealing with a list share here
+	if _, is := a.(*LinkSharing); is {
+		return false, nil
+	}
+
 	// A user can add a member to a team if he is admin of that team
 	exists, err := x.Where("user_id = ? AND team_id = ? AND admin = ?", a.GetID(), tm.TeamID, true).
 		Get(&TeamMember{})
--- a/pkg/models/teams_rights.go
+++ b/pkg/models/teams_rights.go
@ -38,6 +38,11 @@ func (t *Team) CanDelete(a web.Auth) (bool, error) {

 // IsAdmin returns true when the user is admin of a team
 func (t *Team) IsAdmin(a web.Auth) (bool, error) {
+	// Don't do anything if we're deadling with a link share auth here
+	if _, is := a.(*LinkSharing); is {
+		return false, nil
+	}
+
 	// Check if the team exists to be able to return a proper error message if not
 	_, err := GetTeamByID(t.ID)
 	if err != nil {