Deck: Rest API: assigned users without read permissions
Describe the bug
A friend of mine has an account on my nextcloud instance. I made a board for him and shared it with him. Now my friend creates a board (using Deck Android app, therefore the Rest-API) and assigns a card to me.
-> I get a notification via NC Files app
-> I still can't see the board, neither the card.
Is this working as designed?
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
desperateCoder
All 7 comments
As discussed you should not be able to assign users to a card which are not part of the board. How do you get the list of users in the android app for assigning to the card?
juliushaertl
on 4 Oct 2019
Select * from users where accountId = ? -> no acl check, not depending on boards. We plan to include ACL as well, but shouldn't the server validate the rest call? I mean... You know...
desperateCoder
on 4 Oct 2019
BTW: The users in the DB are all users I know about for a specific account.
desperateCoder
on 4 Oct 2019
Just looked it up. The users are either owners of boards, or the user behind the account, or already assigned to at least one card on any board of the account
desperateCoder
on 4 Oct 2019
The GET /boards - Get a list of boards endpoint should return a list of users per board that can be assigned to the card. However I'll look into limiting the assignment on the server side as well.
juliushaertl
on 4 Oct 2019
juliushaertl
on 4 Oct 2019
juliushaertl
on 26 Jan 2020
Related issues
Dubidubiduu
路
3Comments
armaccloud
路
3Comments
langfingaz
路
3Comments
ampoz
路
4Comments
ghost
路
3Comments
Most helpful comment
Fixed with https://github.com/nextcloud/deck/commit/6fa7295b420dc7fececcbc0352ba07e685982024