From dcec9511dcc3acb6402a371e6b7b7e33d233c6a9 Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Tue, 19 Nov 2019 23:07:48 +0100
Subject: [PATCH] Fixed a bug where deleting an attachment would cause a nil
 panic

---
 pkg/models/task_attachment_rights.go | 10 +----
 pkg/models/task_attachment_test.go   | 58 ++++++++++++++++++++++++++++
 pkg/models/tasks_rights.go           |  5 +++
 3 files changed, 65 insertions(+), 8 deletions(-)

diff --git a/pkg/models/task_attachment_rights.go b/pkg/models/task_attachment_rights.go
index 161538110..30bd29b95 100644
--- a/pkg/models/task_attachment_rights.go
+++ b/pkg/models/task_attachment_rights.go
@@ -20,19 +20,13 @@ import "code.vikunja.io/web"
 
 // CanRead checks if the user can see an attachment
 func (ta *TaskAttachment) CanRead(a web.Auth) (bool, error) {
-	t, err := GetTaskByIDSimple(ta.TaskID)
-	if err != nil {
-		return false, err
-	}
+	t := &Task{ID: ta.TaskID}
 	return t.CanRead(a)
 }
 
 // CanDelete checks if the user can delete an attachment
 func (ta *TaskAttachment) CanDelete(a web.Auth) (bool, error) {
-	t, err := GetTaskByIDSimple(ta.TaskID)
-	if err != nil {
-		return false, err
-	}
+	t := &Task{ID: ta.TaskID}
 	return t.CanWrite(a)
 }
 
diff --git a/pkg/models/task_attachment_test.go b/pkg/models/task_attachment_test.go
index b7a0628f7..7df554b60 100644
--- a/pkg/models/task_attachment_test.go
+++ b/pkg/models/task_attachment_test.go
@@ -150,3 +150,61 @@ func TestTaskAttachment_Delete(t *testing.T) {
 		assert.NoError(t, err)
 	})
 }
+
+func TestTaskAttachment_Rights(t *testing.T) {
+	u := &User{ID: 1}
+	t.Run("Can Read", func(t *testing.T) {
+		t.Run("Allowed", func(t *testing.T) {
+			ta := &TaskAttachment{TaskID: 1}
+			can, err := ta.CanRead(u)
+			assert.NoError(t, err)
+			assert.True(t, can)
+		})
+		t.Run("Forbidden", func(t *testing.T) {
+			ta := &TaskAttachment{TaskID: 14}
+			can, err := ta.CanRead(u)
+			assert.NoError(t, err)
+			assert.False(t, can)
+		})
+	})
+	t.Run("Can Delete", func(t *testing.T) {
+		t.Run("Allowed", func(t *testing.T) {
+			ta := &TaskAttachment{TaskID: 1}
+			can, err := ta.CanDelete(u)
+			assert.NoError(t, err)
+			assert.True(t, can)
+		})
+		t.Run("Forbidden, no access", func(t *testing.T) {
+			ta := &TaskAttachment{TaskID: 14}
+			can, err := ta.CanDelete(u)
+			assert.NoError(t, err)
+			assert.False(t, can)
+		})
+		t.Run("Forbidden, shared read only", func(t *testing.T) {
+			ta := &TaskAttachment{TaskID: 15}
+			can, err := ta.CanDelete(u)
+			assert.NoError(t, err)
+			assert.False(t, can)
+		})
+	})
+	t.Run("Can Create", func(t *testing.T) {
+		t.Run("Allowed", func(t *testing.T) {
+			ta := &TaskAttachment{TaskID: 1}
+			can, err := ta.CanCreate(u)
+			assert.NoError(t, err)
+			assert.True(t, can)
+		})
+		t.Run("Forbidden, no access", func(t *testing.T) {
+			ta := &TaskAttachment{TaskID: 14}
+			can, err := ta.CanCreate(u)
+			assert.NoError(t, err)
+			assert.False(t, can)
+		})
+		t.Run("Forbidden, shared read only", func(t *testing.T) {
+			ta := &TaskAttachment{TaskID: 15}
+			can, err := ta.CanCreate(u)
+			assert.NoError(t, err)
+			assert.False(t, can)
+		})
+	})
+}
diff --git a/pkg/models/tasks_rights.go b/pkg/models/tasks_rights.go
index edae548b3..2cb752cf2 100644
--- a/pkg/models/tasks_rights.go
+++ b/pkg/models/tasks_rights.go
@@ -51,6 +51,11 @@ func (t *Task) CanRead(a web.Auth) (canRead bool, err error) {
 	return l.CanRead(a)
 }
 
+// CanWrite checks if a user has write access to a task
+func (t *Task) CanWrite(a web.Auth) (canWrite bool, err error) {
+	return t.canDoTask(a)
+}
+
 // Helper function to check if a user can do stuff on a list task
 func (t *Task) canDoTask(a web.Auth) (bool, error) {
 	// Get the task