Skip to content

fix: Check owner can create boards when importing#7341

Merged
juliusknorr merged 1 commit intomainfrom
fix-board-import-auth-restriction
Nov 5, 2025
Merged

fix: Check owner can create boards when importing#7341
juliusknorr merged 1 commit intomainfrom
fix-board-import-auth-restriction

Conversation

@luka-nextcloud
Copy link
Copy Markdown
Contributor

@luka-nextcloud luka-nextcloud commented Nov 4, 2025
edited
Loading

  • Resolves: #
  • Target version: main

Summary

Adds permission checks to board import functionality to ensure that only users with the appropriate rights can create boards. The main changes involve enforcing these checks in both the UI controller and API controller, and extending unit tests to cover permission scenarios.

Permission enforcement improvements:

  • Added a check in BoardController::import to throw NoPermissionException if the user is not allowed to create boards.
  • Added a similar permission check in BoardImportApiController::import, preventing board creation via API for unauthorized users.

Dependency and test updates:

  • Injected PermissionService into BoardImportApiController and updated its constructor accordingly.
  • Updated the unit test BoardImportApiControllerTest to mock PermissionService, test successful import when permitted, and add a new test for denied permission, ensuring NoPermissionException is thrown.

Checklist

  • Code is properly formatted
  • Sign-off message is added to all commits
  • Tests (unit, integration, api and/or acceptance) are included
  • Documentation (manuals or wiki) has been updated or is not required

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Nov 4, 2025

🐢 Performance warning.
It looks like the query count of the integration tests increased with this PR.
Database query count is now 83517 was 82774 (+0.89%)
Please check your code again. If you added a new test this can be expected and the base value in tests/integration/base-query-count.txt can be increased.

@luka-nextcloud luka-nextcloud force-pushed the fix-board-import-auth-restriction branch from 5e7ba3a to 780e843 Compare November 5, 2025 07:45
@juliusknorr
Copy link
Copy Markdown
Member

juliusknorr commented Nov 5, 2025

Just to double check, do we already hide the import functionality in the ui then?

@luka-nextcloud
Copy link
Copy Markdown
Contributor Author

luka-nextcloud commented Nov 5, 2025

Just to double check, do we already hide the import functionality in the ui then?

@juliusknorr Yes, the Import board menu is already hidden if the user doesn't have create permission.

@nickvergessen nickvergessen changed the title fix: authorization bypass in board import fix: Check owner can create boards when importing Nov 5, 2025
@luka-nextcloud luka-nextcloud force-pushed the fix-board-import-auth-restriction branch from 780e843 to 8d4465b Compare November 5, 2025 13:48
@juliusknorr juliusknorr merged commit b6c99b6 into main Nov 5, 2025
36 checks passed
@juliusknorr juliusknorr deleted the fix-board-import-auth-restriction branch November 5, 2025 21:25
@luka-nextcloud
Copy link
Copy Markdown
Contributor Author

luka-nextcloud commented Nov 6, 2025

/backport to stable31

@luka-nextcloud
Copy link
Copy Markdown
Contributor Author

luka-nextcloud commented Nov 6, 2025

/backport to stable32

This was referenced Nov 6, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@juliusknorr juliusknorr juliusknorr approved these changes

@grnd-alt grnd-alt Awaiting requested review from grnd-alt grnd-alt is a code owner

@elzody elzody Awaiting requested review from elzody elzody is a code owner

Assignees

No one assigned

Labels

3. to review bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@luka-nextcloud @juliusknorr