Fixed a bug where deleting an attachment would cause a nil panic

2019-11-19 23:07:48 +01:00 · 2019-11-19 23:07:48 +01:00 · dcec9511dc
parent c203d73b33
commit dcec9511dc
3 changed files with 65 additions and 8 deletions
--- a/pkg/models/task_attachment_rights.go
+++ b/pkg/models/task_attachment_rights.go
@ -20,19 +20,13 @@ import "code.vikunja.io/web"

 // CanRead checks if the user can see an attachment
 func (ta *TaskAttachment) CanRead(a web.Auth) (bool, error) {
-	t, err := GetTaskByIDSimple(ta.TaskID)
-	if err != nil {
-		return false, err
-	}
+	t := &Task{ID: ta.TaskID}
 	return t.CanRead(a)
 }

 // CanDelete checks if the user can delete an attachment
 func (ta *TaskAttachment) CanDelete(a web.Auth) (bool, error) {
-	t, err := GetTaskByIDSimple(ta.TaskID)
-	if err != nil {
-		return false, err
-	}
+	t := &Task{ID: ta.TaskID}
 	return t.CanWrite(a)
 }

--- a/pkg/models/task_attachment_test.go
+++ b/pkg/models/task_attachment_test.go
@ -150,3 +150,61 @@ func TestTaskAttachment_Delete(t *testing.T) {
 		assert.NoError(t, err)
 	})
 }
+
+func TestTaskAttachment_Rights(t *testing.T) {
+	u := &User{ID: 1}
+	t.Run("Can Read", func(t *testing.T) {
+		t.Run("Allowed", func(t *testing.T) {
+			ta := &TaskAttachment{TaskID: 1}
+			can, err := ta.CanRead(u)
+			assert.NoError(t, err)
+			assert.True(t, can)
+		})
+		t.Run("Forbidden", func(t *testing.T) {
+			ta := &TaskAttachment{TaskID: 14}
+			can, err := ta.CanRead(u)
+			assert.NoError(t, err)
+			assert.False(t, can)
+		})
+	})
+	t.Run("Can Delete", func(t *testing.T) {
+		t.Run("Allowed", func(t *testing.T) {
+			ta := &TaskAttachment{TaskID: 1}
+			can, err := ta.CanDelete(u)
+			assert.NoError(t, err)
+			assert.True(t, can)
+		})
+		t.Run("Forbidden, no access", func(t *testing.T) {
+			ta := &TaskAttachment{TaskID: 14}
+			can, err := ta.CanDelete(u)
+			assert.NoError(t, err)
+			assert.False(t, can)
+		})
+		t.Run("Forbidden, shared read only", func(t *testing.T) {
+			ta := &TaskAttachment{TaskID: 15}
+			can, err := ta.CanDelete(u)
+			assert.NoError(t, err)
+			assert.False(t, can)
+		})
+	})
+	t.Run("Can Create", func(t *testing.T) {
+		t.Run("Allowed", func(t *testing.T) {
+			ta := &TaskAttachment{TaskID: 1}
+			can, err := ta.CanCreate(u)
+			assert.NoError(t, err)
+			assert.True(t, can)
+		})
+		t.Run("Forbidden, no access", func(t *testing.T) {
+			ta := &TaskAttachment{TaskID: 14}
+			can, err := ta.CanCreate(u)
+			assert.NoError(t, err)
+			assert.False(t, can)
+		})
+		t.Run("Forbidden, shared read only", func(t *testing.T) {
+			ta := &TaskAttachment{TaskID: 15}
+			can, err := ta.CanCreate(u)
+			assert.NoError(t, err)
+			assert.False(t, can)
+		})
+	})
+}
--- a/pkg/models/tasks_rights.go
+++ b/pkg/models/tasks_rights.go
@ -51,6 +51,11 @@ func (t *Task) CanRead(a web.Auth) (canRead bool, err error) {
 	return l.CanRead(a)
 }

+// CanWrite checks if a user has write access to a task
+func (t *Task) CanWrite(a web.Auth) (canWrite bool, err error) {
+	return t.canDoTask(a)
+}
+
 // Helper function to check if a user can do stuff on a list task
 func (t *Task) canDoTask(a web.Auth) (bool, error) {
 	// Get the task