Properly check for the stack AND setting board permissions

Signed-off-by: Julius Härtl <[email protected]>

lib/Service/StackService.php

@@ -290,10 +290,13 @@ public function update($id, $title, $boardId, $order, $deletedAt) {
 			throw new BadRequestException('order must be a number');
 		}
 
-		$this->permissionService->checkPermission($this->stackMapper, $boardId, Acl::PERMISSION_MANAGE);
-		if ($this->boardService->isArchived($this->stackMapper, $boardId)) {
+		$this->permissionService->checkPermission($this->stackMapper, $id, Acl::PERMISSION_MANAGE);
+		$this->permissionService->checkPermission($this->boardMapper, $boardId, Acl::PERMISSION_MANAGE);
+
+		if ($this->boardService->isArchived($this->stackMapper, $id)) {
 			throw new StatusException('Operation not allowed. This board is archived.');
 		}
+
 		$stack = $this->stackMapper->find($id);
 		$changes = new ChangeSet($stack);
 		$stack->setTitle($title);

tests/unit/Service/StackServiceTest.php

@@ -195,7 +195,7 @@ public function testDelete() {
 	}
 
 	public function testUpdate() {
-		$this->permissionService->expects($this->once())->method('checkPermission');
+		$this->permissionService->expects($this->exactly(2))->method('checkPermission');
 		$stack = new Stack();
 		$this->stackMapper->expects($this->once())->method('find')->willReturn($stack);
 		$this->stackMapper->expects($this->once())->method('update')->willReturn($stack);