From 86d3de2211ed07cbe37cc7059f03843eb4887097 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julius=20H=C3=A4rtl?= <jus@bitgrid.net>
Date: Fri, 25 Mar 2022 10:02:53 +0100
Subject: [PATCH] Properly check for the stack AND setting board permissions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Julius Härtl <jus@bitgrid.net>
---
 lib/Service/StackService.php            | 7 +++++--
 tests/unit/Service/StackServiceTest.php | 2 +-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/lib/Service/StackService.php b/lib/Service/StackService.php
index 232dc6fc7..79f659eba 100644
--- a/lib/Service/StackService.php
+++ b/lib/Service/StackService.php
@@ -290,10 +290,13 @@ public function update($id, $title, $boardId, $order, $deletedAt) {
 			throw new BadRequestException('order must be a number');
 		}
 
-		$this->permissionService->checkPermission($this->stackMapper, $boardId, Acl::PERMISSION_MANAGE);
-		if ($this->boardService->isArchived($this->stackMapper, $boardId)) {
+		$this->permissionService->checkPermission($this->stackMapper, $id, Acl::PERMISSION_MANAGE);
+		$this->permissionService->checkPermission($this->boardMapper, $boardId, Acl::PERMISSION_MANAGE);
+
+		if ($this->boardService->isArchived($this->stackMapper, $id)) {
 			throw new StatusException('Operation not allowed. This board is archived.');
 		}
+
 		$stack = $this->stackMapper->find($id);
 		$changes = new ChangeSet($stack);
 		$stack->setTitle($title);
diff --git a/tests/unit/Service/StackServiceTest.php b/tests/unit/Service/StackServiceTest.php
index 79e04eca3..913a74f69 100644
--- a/tests/unit/Service/StackServiceTest.php
+++ b/tests/unit/Service/StackServiceTest.php
@@ -195,7 +195,7 @@ public function testDelete() {
 	}
 
 	public function testUpdate() {
-		$this->permissionService->expects($this->once())->method('checkPermission');
+		$this->permissionService->expects($this->exactly(2))->method('checkPermission');
 		$stack = new Stack();
 		$this->stackMapper->expects($this->once())->method('find')->willReturn($stack);
 		$this->stackMapper->expects($this->once())->method('update')->willReturn($stack);