Skip to content

Commit 047378e

Browse files
AndyScherzingerAndyScherzinger
authored
Merge pull request #50711 from nextcloud/fix/reminder-node-access
fix(files_reminders): Only allow updating reminders if the file is accessible
2 parents 74c2579 + fd591b0 commit 047378e

File tree

2 files changed

+18
-6
lines changed

2 files changed

+18
-6
lines changed

apps/files_reminders/lib/Controller/ApiController.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -57,7 +57,7 @@ public function get(int $fileId): DataResponse {
5757
'dueDate' => $reminder->getDueDate()->format(DateTimeInterface::ATOM), // ISO 8601
5858
];
5959
return new DataResponse($reminderData, Http::STATUS_OK);
60-
} catch (DoesNotExistException $e) {
60+
} catch (NodeNotFoundException|DoesNotExistException $e) {
6161
$reminderData = [
6262
'dueDate' => null,
6363
];
@@ -125,7 +125,7 @@ public function remove(int $fileId): DataResponse {
125125
try {
126126
$this->reminderService->remove($user, $fileId);
127127
return new DataResponse([], Http::STATUS_OK);
128-
} catch (DoesNotExistException $e) {
128+
} catch (NodeNotFoundException|DoesNotExistException $e) {
129129
return new DataResponse([], Http::STATUS_NOT_FOUND);
130130
}
131131
}

apps/files_reminders/lib/Service/ReminderService.php

Lines changed: 16 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -47,9 +47,11 @@ public function get(int $id): RichReminder {
4747
}
4848

4949
/**
50+
* @throws NodeNotFoundException
5051
* @throws DoesNotExistException
5152
*/
5253
public function getDueForUser(IUser $user, int $fileId): RichReminder {
54+
$this->checkNode($user, $fileId);
5355
$reminder = $this->reminderMapper->findDueForUser($user, $fileId);
5456
return new RichReminder($reminder, $this->root);
5557
}
@@ -74,17 +76,14 @@ public function getAll(?IUser $user = null) {
7476
*/
7577
public function createOrUpdate(IUser $user, int $fileId, DateTime $dueDate): bool {
7678
$now = new DateTime('now', new DateTimeZone('UTC'));
79+
$this->checkNode($user, $fileId);
7780
try {
7881
$reminder = $this->reminderMapper->findDueForUser($user, $fileId);
7982
$reminder->setDueDate($dueDate);
8083
$reminder->setUpdatedAt($now);
8184
$this->reminderMapper->update($reminder);
8285
return false;
8386
} catch (DoesNotExistException $e) {
84-
$node = $this->root->getUserFolder($user->getUID())->getFirstNodeById($fileId);
85-
if (!$node) {
86-
throw new NodeNotFoundException();
87-
}
8887
// Create new reminder if no reminder is found
8988
$reminder = new Reminder();
9089
$reminder->setUserId($user->getUID());
@@ -98,9 +97,11 @@ public function createOrUpdate(IUser $user, int $fileId, DateTime $dueDate): boo
9897
}
9998

10099
/**
100+
* @throws NodeNotFoundException
101101
* @throws DoesNotExistException
102102
*/
103103
public function remove(IUser $user, int $fileId): void {
104+
$this->checkNode($user, $fileId);
104105
$reminder = $this->reminderMapper->findDueForUser($user, $fileId);
105106
$this->reminderMapper->delete($reminder);
106107
}
@@ -161,4 +162,15 @@ public function cleanUp(?int $limit = null): void {
161162
$this->reminderMapper->delete($reminder);
162163
}
163164
}
165+
166+
/**
167+
* @throws NodeNotFoundException
168+
*/
169+
private function checkNode(IUser $user, int $fileId): void {
170+
$userFolder = $this->root->getUserFolder($user->getUID());
171+
$node = $userFolder->getFirstNodeById($fileId);
172+
if ($node === null) {
173+
throw new NodeNotFoundException();
174+
}
175+
}
164176
}

0 commit comments

Comments
 (0)